Windows Vista Tips

Windows Vista Tips > Newsgroups > Windows Server > Windows Small Business Server > Need Help to protect against spammer

Reply
Thread Tools Display Modes

Need Help to protect against spammer

 
 
thejamie
Guest
Posts: n/a

 
      07-01-2008
First off, - not sure spammer is what this is so need someone to help me
clarify. Mail was denied to ATTNET because my server was reported for
spamming so I am watching my ISA firewall closely. Here is what I notice.

Somone is hitting my wireless workgroup network at 192.168.z.z from msn
messenger. Destination IP is a microsoft ip starting 205... and protocol is
msn messenger. I noticed that my 64 bit xp laptop on this workgroup (which
is always logged into my sbs network via vpn) did not have its guest account
disabled - it is disabled now. Finally the External address it tries to
reach is an IP produced by the DNS from the wireless router's NAT list (as
above 192.168.z.z)

The next event that appears to define the attack is a call to the localhost
over a port from IP 255.255.255.255:Port (UDP)

And then there is the one call from a specific IP address (starts with 69)
(From Rackspace.com, Ltd. out of San Antonio, but need more information to
know if they are hacked too or if they are the spammer)... The 69 IP is the
external source, the 192.168.z.z mentioned above is the Destination.

Fortunately ISA is blocking this pattern that occurs probably three or four
times in a row in a second or two and then repeats a few seconds later ISA
refers to it as Unidentified traffic and denies it but I find it odd that the
pattern recurs so frequently and so my question is, could this be my spammer.
Please note, there are other attacks as well as this one most of them
originating from addresses in China but are more random and appear to only be
probing. The one from 69.x.x.x is far more persistant.

Can anyone tell me what else to look for?
--
Regards,
Jamie
 
Reply With Quote
 
 
 
 
thejamie
Guest
Posts: n/a

 
      07-02-2008
OK, forget this. That was a malware called Korolev and it was embedded in
the C:\Windows\Expand.exe. I've never heard of it and couldn't find much on
the internet about it but a 64 bit firewall called COMODO found it. It
seems a bit suspicious that there is nothing on the internet about Korolev
malware embedded in the Windows Expand.exe.
--
Regards,
Jamie


"thejamie" wrote:

> First off, - not sure spammer is what this is so need someone to help me
> clarify. Mail was denied to ATTNET because my server was reported for
> spamming so I am watching my ISA firewall closely. Here is what I notice.
>
> Somone is hitting my wireless workgroup network at 192.168.z.z from msn
> messenger. Destination IP is a microsoft ip starting 205... and protocol is
> msn messenger. I noticed that my 64 bit xp laptop on this workgroup (which
> is always logged into my sbs network via vpn) did not have its guest account
> disabled - it is disabled now. Finally the External address it tries to
> reach is an IP produced by the DNS from the wireless router's NAT list (as
> above 192.168.z.z)
>
> The next event that appears to define the attack is a call to the localhost
> over a port from IP 255.255.255.255:Port (UDP)
>
> And then there is the one call from a specific IP address (starts with 69)
> (From Rackspace.com, Ltd. out of San Antonio, but need more information to
> know if they are hacked too or if they are the spammer)... The 69 IP is the
> external source, the 192.168.z.z mentioned above is the Destination.
>
> Fortunately ISA is blocking this pattern that occurs probably three or four
> times in a row in a second or two and then repeats a few seconds later ISA
> refers to it as Unidentified traffic and denies it but I find it odd that the
> pattern recurs so frequently and so my question is, could this be my spammer.
> Please note, there are other attacks as well as this one most of them
> originating from addresses in China but are more random and appear to only be
> probing. The one from 69.x.x.x is far more persistant.
>
> Can anyone tell me what else to look for?
> --
> Regards,
> Jamie

 
Reply With Quote
 
 
 
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: MS KB 962007 to Protect Against Conficker Virus Meinolf Weber [MVP-DS] Server Security 0 04-03-2009 06:10 AM
Howto protect a volume against removal and hide it elitebytes Windows Vista Drivers 3 06-30-2008 04:20 PM
mscs multiple subnet support, protect against subnet outage noal Clustering 1 08-08-2006 11:57 AM
Windows server 2003 security. How to protect against 100's of invalid logons to the server?? gonzal kamikadze Server Security 1 08-15-2005 01:38 AM
protect against bug 0x50 (PAGE_FAULT_IN_NON_PAGED_AREA) Matt Vinall Windows Vista Drivers 1 08-29-2003 11:20 AM