Need Help to protect against spammer

Discussion in 'Windows Small Business Server' started by thejamie, Jul 1, 2008.

  1. thejamie

    thejamie Guest

    First off, - not sure spammer is what this is so need someone to help me
    clarify. Mail was denied to ATTNET because my server was reported for
    spamming so I am watching my ISA firewall closely. Here is what I notice.

    Somone is hitting my wireless workgroup network at 192.168.z.z from msn
    messenger. Destination IP is a microsoft ip starting 205... and protocol is
    msn messenger. I noticed that my 64 bit xp laptop on this workgroup (which
    is always logged into my sbs network via vpn) did not have its guest account
    disabled - it is disabled now. Finally the External address it tries to
    reach is an IP produced by the DNS from the wireless router's NAT list (as
    above 192.168.z.z)

    The next event that appears to define the attack is a call to the localhost
    over a port from IP 255.255.255.255:port (UDP)

    And then there is the one call from a specific IP address (starts with 69)
    (From Rackspace.com, Ltd. out of San Antonio, but need more information to
    know if they are hacked too or if they are the spammer)... The 69 IP is the
    external source, the 192.168.z.z mentioned above is the Destination.

    Fortunately ISA is blocking this pattern that occurs probably three or four
    times in a row in a second or two and then repeats a few seconds later ISA
    refers to it as Unidentified traffic and denies it but I find it odd that the
    pattern recurs so frequently and so my question is, could this be my spammer.
    Please note, there are other attacks as well as this one most of them
    originating from addresses in China but are more random and appear to only be
    probing. The one from 69.x.x.x is far more persistant.

    Can anyone tell me what else to look for?
     
    thejamie, Jul 1, 2008
    #1
    1. Advertisements

  2. thejamie

    thejamie Guest

    OK, forget this. That was a malware called Korolev and it was embedded in
    the C:\Windows\Expand.exe. I've never heard of it and couldn't find much on
    the internet about it but a 64 bit firewall called COMODO found it. It
    seems a bit suspicious that there is nothing on the internet about Korolev
    malware embedded in the Windows Expand.exe.
     
    thejamie, Jul 2, 2008
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.