Archived from groups: comp.security.firewalls (
More info?)
Bluto wrote:
> John wrote:
>
>> I noticed a lot SMTP activity from a workstation that should not be
>> sending
>> that much email. When I asked the user about it, they reported that they
>> had not been sending email at all. I have scan the machine for
>> viruses, and
>> it appears to come up negative.
>>
>> Is there another explanation for this activity?
>>
>> John
>
>
> OK. Let's see.
>
> 1. The machine is doing outbound connects to port 25.
1 - How do you know this machine is doing outbound connects to port 25.
Ever hear of source address spoofing?
> 2. The machine is a workstation, and should not be doing outbounds
> to 25.
2 - Any email client that sends messages makes outbound SMTP connections
unless it's using IMAP. POP3 doesn't accept messages. I can configure
mozilla to send SMTP to any number of hosts.
> 3. The user reports that HE's not running any processes that
> would go outbound to 25.
>
>
> 4. Therefore, it's VERY likely that there's a NON-user process
> (ie, server) doing outbounds to 25.
>
>
> 5. But, server processes on workstations going outbound to 25
> are almost ALWAYS trojans / viruses / or rogue servers
> controlled by third parties.
> 6. Therefore, your user's workstation almost certainly has
> "trojans / viruses / or rogue servers controlled by
> third parties".
>
>
> 7. But, your virus scanner isn't finding anything.
> 8. However, most virus scanners will NOT detect trojans or
> installed rogue servers, AND many times will not detect
> recently discovered viruses. Further, much recent malware
> mucks around with any security processes you have running.
8 - Any virus scanner that doesn't find a trojan is worthless. You pay
for them to detect these things, don't you?
> 9. Therefore, your user's workstation is VERY likely infected
> and / or controlled by a virus or third party process
> your scanner doesn't detect, or has been prevented from
> detecting.
>
>
> 10. Consequently, most likely you don't need another "explanation
> for this activity", you just need other scanning methods
> or tools. ZoneAlarm, Kerio or whatever, will often detect
> any outbound malware processes IF installed after the
> malware is -- safemode installation is your best bet. The
> Sysinternals "autoruns" program will allow you to ID anything
> that's autoloaded at startup. Knoppix will let you boot,
> and examine the drive for files that shouldn't be there.
> If the drive has an FAT32 filesystem, you can also delete
> the alien files; if you have NTFS filesystems, you may be
> able to install and run the recovery console, etc.
10 - My suggestion - run a packet sniffer (ethereal works nicely) and
check the packets. Look for the MAC that's sending the messages. Then,
if your switch is manageable, look up the port(s) that are using that
MAC address. That will identify which workstation is sending the
traffic. Then, start debugging the workstation. Chances are that it's
not the machine you might think it is.