Need Help to protect against spammer

Discussion in 'Windows Small Business Server' started by thejamie, Jul 1, 2008.

  1. thejamie

    thejamie Guest

    First off, - not sure spammer is what this is so need someone to help me
    clarify. Mail was denied to ATTNET because my server was reported for
    spamming so I am watching my ISA firewall closely. Here is what I notice.

    Somone is hitting my wireless workgroup network at 192.168.z.z from msn
    messenger. Destination IP is a microsoft ip starting 205... and protocol is
    msn messenger. I noticed that my 64 bit xp laptop on this workgroup (which
    is always logged into my sbs network via vpn) did not have its guest account
    disabled - it is disabled now. Finally the External address it tries to
    reach is an IP produced by the DNS from the wireless router's NAT list (as
    above 192.168.z.z)

    The next event that appears to define the attack is a call to the localhost
    over a port from IP 255.255.255.255:port (UDP)

    And then there is the one call from a specific IP address (starts with 69)
    (From Rackspace.com, Ltd. out of San Antonio, but need more information to
    know if they are hacked too or if they are the spammer)... The 69 IP is the
    external source, the 192.168.z.z mentioned above is the Destination.

    Fortunately ISA is blocking this pattern that occurs probably three or four
    times in a row in a second or two and then repeats a few seconds later ISA
    refers to it as Unidentified traffic and denies it but I find it odd that the
    pattern recurs so frequently and so my question is, could this be my spammer.
    Please note, there are other attacks as well as this one most of them
    originating from addresses in China but are more random and appear to only be
    probing. The one from 69.x.x.x is far more persistant.

    Can anyone tell me what else to look for?
    --
    Regards,
    Jamie
     
    thejamie, Jul 1, 2008
    #1
    1. Advertising

  2. thejamie

    thejamie Guest

    OK, forget this. That was a malware called Korolev and it was embedded in
    the C:\Windows\Expand.exe. I've never heard of it and couldn't find much on
    the internet about it but a 64 bit firewall called COMODO found it. It
    seems a bit suspicious that there is nothing on the internet about Korolev
    malware embedded in the Windows Expand.exe.
    --
    Regards,
    Jamie


    "thejamie" wrote:

    > First off, - not sure spammer is what this is so need someone to help me
    > clarify. Mail was denied to ATTNET because my server was reported for
    > spamming so I am watching my ISA firewall closely. Here is what I notice.
    >
    > Somone is hitting my wireless workgroup network at 192.168.z.z from msn
    > messenger. Destination IP is a microsoft ip starting 205... and protocol is
    > msn messenger. I noticed that my 64 bit xp laptop on this workgroup (which
    > is always logged into my sbs network via vpn) did not have its guest account
    > disabled - it is disabled now. Finally the External address it tries to
    > reach is an IP produced by the DNS from the wireless router's NAT list (as
    > above 192.168.z.z)
    >
    > The next event that appears to define the attack is a call to the localhost
    > over a port from IP 255.255.255.255:port (UDP)
    >
    > And then there is the one call from a specific IP address (starts with 69)
    > (From Rackspace.com, Ltd. out of San Antonio, but need more information to
    > know if they are hacked too or if they are the spammer)... The 69 IP is the
    > external source, the 192.168.z.z mentioned above is the Destination.
    >
    > Fortunately ISA is blocking this pattern that occurs probably three or four
    > times in a row in a second or two and then repeats a few seconds later ISA
    > refers to it as Unidentified traffic and denies it but I find it odd that the
    > pattern recurs so frequently and so my question is, could this be my spammer.
    > Please note, there are other attacks as well as this one most of them
    > originating from addresses in China but are more random and appear to only be
    > probing. The one from 69.x.x.x is far more persistant.
    >
    > Can anyone tell me what else to look for?
    > --
    > Regards,
    > Jamie
     
    thejamie, Jul 2, 2008
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Matt Vinall

    protect against bug 0x50 (PAGE_FAULT_IN_NON_PAGED_AREA)

    Matt Vinall, Aug 28, 2003, in forum: Windows Vista Drivers
    Replies:
    1
    Views:
    232
    Matt Vinall
    Aug 29, 2003
  2. elitebytes

    Howto protect a volume against removal and hide it

    elitebytes, Jun 26, 2008, in forum: Windows Vista Drivers
    Replies:
    3
    Views:
    178
    Maxim S. Shatskih
    Jun 30, 2008
  3. gonzal kamikadze
    Replies:
    1
    Views:
    409
    Steven L Umbach
    Aug 15, 2005
  4. Meinolf Weber [MVP-DS]

    Re: MS KB 962007 to Protect Against Conficker Virus

    Meinolf Weber [MVP-DS], Apr 3, 2009, in forum: Server Security
    Replies:
    0
    Views:
    466
    Meinolf Weber [MVP-DS]
    Apr 3, 2009
  5. noal
    Replies:
    1
    Views:
    382
    Chuck Timon [Microsoft]
    Aug 8, 2006
Loading...

Share This Page