Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 1843 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Possible Bot infiected a computer - Why?

Rodeoboy

We have a computer that appearss to be spamming out through port 25 allthough Sophos is up to date and running. Why?

Sincerely,

Ken

:28337


This thread was automatically locked due to age.
  • 0
    Hello Ken, there will always be new threats (at least in the near future) and some will evade scanners (at first). It's like flu shots - from time to time a new strain appears and the existing sera have no effect. You should try to assess what the computer is actually doing - and if there's some undetected rogue process then it's time for the "why" Christian
    :28361
  • 0

    What had caused it was an employee brought in their computer from home with Sophos up to date and it was acting like a virus was on it so I used the SAV32CLI safe mode command prompt method to scan it.  The scan came up clean.

    Against my better judgement I rebooted and connected it to the network.  Shortly after that our emails were getting blocked by our clients cause of spam.  I immediately unplugged it and got us off the spam blockers but this morning I found ourselves back on the black lists.  I then checked our Firewall and found that one computer had a lot of SMTP activity overnight and removed it from the network.  Now we haven't got any SMTP traffic from the workstations like it's supposed to be.

    I have scanned the offending computers 3 times now and still nothing found but if I tether through my cell phone they will start connecting to SMTP again.

    Sincerely,

    Ken

    :28363
  • 0

    Hi,

    As a quick test I would fire up Process Monitor (http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx) on the computer, connect it to the network, disconnect it again shortly after then analyze what took place.  You can see all the processes that came and went but most importantly you can see the process or processes that sent traffic.

    Hope it helps.

    Regards,

    Jak

    :28367
  • 0

     DECODE PID to Network service.  

    At the command prompt on the offending system....

    netstat –ano > netstat.txt
    tasklist > tasklist.txt
    notepad tasklist.txt
    notepad netstat.txt

    Once you find the offending process PID do

    netstat -b

    Which should give you the offending binary.exe's and established connections.

    From here it just dependins on your companies policies for remediation / risk management.

    :28611