A week ago, we had an employee click on an email link that installed a trojan horse in her computer. That computer started spitting out spam through port 25 until I caught it. I have since blocked that port from forwarding outside our network. I have also added logging to note when a computer attempts to forward to an outside ip through 25.
About once an hour, I have noticed that the Shoretel VM machine is trying to contact the following ip's:
64.18.6.10 - 300 packets
Service: smtp (tcp/25) - 300 packets
To 64.18.6.11 - 300 packets
Service: smtp (tcp/25) - 300 packets
To 64.18.6.13 - 300 packets
Service: smtp (tcp/25) - 300 packets
To 64.18.6.14 - 300 packets
Service: smtp (tcp/25) - 300 packets
To 209.181.247.105 - 510 packets
Service: smtp (tcp/25) - 510 packets
Whois shows me that it is an email company called Postini which is an email hosting service in Nor Cal.
My question: how can I find out the app that is responsible for sending this type of traffic out? I have looked through the event viewer (win server 2003) and shows me that the smtp event has failed (over and over) but does not list the offending app.
All that is running on the box is LogMeIn, RMS (call accounting software), and of course Shoretel VM.
Shutting off LogMeIn and RMS doesn't seem to affect the transmissions.
Thanks in advance.
Brad
About once an hour, I have noticed that the Shoretel VM machine is trying to contact the following ip's:
64.18.6.10 - 300 packets
Service: smtp (tcp/25) - 300 packets
To 64.18.6.11 - 300 packets
Service: smtp (tcp/25) - 300 packets
To 64.18.6.13 - 300 packets
Service: smtp (tcp/25) - 300 packets
To 64.18.6.14 - 300 packets
Service: smtp (tcp/25) - 300 packets
To 209.181.247.105 - 510 packets
Service: smtp (tcp/25) - 510 packets
Whois shows me that it is an email company called Postini which is an email hosting service in Nor Cal.
My question: how can I find out the app that is responsible for sending this type of traffic out? I have looked through the event viewer (win server 2003) and shows me that the smtp event has failed (over and over) but does not list the offending app.
All that is running on the box is LogMeIn, RMS (call accounting software), and of course Shoretel VM.
Shutting off LogMeIn and RMS doesn't seem to affect the transmissions.
Thanks in advance.
Brad
Comment