3

I am managing a Win Server 2008 system with a number of hosted web sites. Recently I found that something was sending spam through our SMTP server. The logs indicate that the connections were being made to our localhost port 25 SMTP server...which was configured to allow un-authenticated relaying. We are now requiring authentication even on 127.0.0.1:25 so the outgoing spam is blocked, but the connection attempts continue.

My guess is that one of our client's web scripts has been hacked and is being used to forward spam through our SMTP server.

Are there any tools that can be used to pin down what process, or better yet, which executable is making connections to a specific web port?

I have looked at the windows firewall logs, as suggested in this Server Fault question, but that does not list the process ID which is making connections.

Of course it is possible that I am barking up the wrong tree here, so any other advice would be appreciated too.

Community
  • 1
Al Crowley
  • 131
  • 1
  • 5
  • possible duplicate of [How do I deal with a compromised server?](http://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server) – EEAA Apr 08 '13 at 01:48
  • @EEAA A script sending spam from a hosted website is not the same as a compromised server. – HopelessN00b Apr 08 '13 at 02:20
  • Check procmon and/or process explorer from the sysonternals suite for more in depth monitoring and tracking of your server's processes. – HopelessN00b Apr 08 '13 at 02:21
  • @HopelessN00b - it might not be, but I'd not be willing to take that chance. – EEAA Apr 08 '13 at 02:30
  • See also [What PID is making outbound connections on port 25](https://serverfault.com/questions/498454/what-pid-is-making-outbound-connections-on-port-25). – Vadzim Jun 02 '17 at 17:50

3 Answers3

1

netstat -b -o lists the network connections, process and PID - you should be able to figure out which IIS worker process is doing all the port 25 connections.

Christopher_G_Lewis
  • 3,647
  • 21
  • 27
0

Are you sure your server is no longer relaying spam? If you are sure it hasn't then the problem probably was just that it was an open relay. However, if you feel that some websites may be allowing spam to be sent some other way, then read on.

You may want to consider your server compromised, in which case follow the advice in the article marked as a possible duplicate above.

However, you feel it is quite likely that a script from one of your users is the cause, either because it has been hacked, or more likely that it is just poorly written allowing Email Injection type attacks.

In order to prevent your server getting blacklisted affecting all your customers, you should probably block all outgoing traffic on port 25 as soon as possible to prevent spam going out.

You are then going to have to audit all the scripts on the server to make sure they aren't vulnerable to this type of attack. See this question on Security for details of how to protect PHP scripts.

Community
  • 1
dunxd
  • 9,482
  • 21
  • 80
  • 117
0

you can use some network sniffer tools which will pinpoint to process level which one is sending what. You can as well filter if needed. 

some examples:
network monitor 3.4 (microsoft) outdated, but works well.
fiddler
... (other most probably)

Give network monitor a try and within 15 minutes you know where to look next.

jcuypers
  • 241
  • 1
  • 4