3
I was notified by my isp that one of my machines is sending out spam. This happened about 3 months ago on windows machine running cygwin that was hacked due to an SSH vuln.
The hackers setup IIS and SMTP. I cleared out the machine and all the services are disabled so I think that machine is okay
I am wondering if there is any other way to identify which machine it could be coming from?
The ISP has NO useful information such as source port, destination port, destination IP... nothing.
I am running DD-WRT on my router, Windows 7 PC and a Windows XP PC.
It's the only way to be sure. – Zoredache – 2010-03-16T21:41:41.020
2@Zoredache, absolutally. And when you guage the price of rebuilding a machine after a nuke and the time taken to fix it, it makes much more economic sense to just re-image it. Especially once you factor in the potential cost to the company by letting an infected machine onto a corporate network. – Mark Henderson – 2010-03-16T21:57:40.923
+1 nuke that sucka :) ... and something constructive: If DD-WRT can do netflow that would be an alternative way to see who is sending a whole bunch of SMTP traffic – Zypher – 2010-03-16T22:10:43.153
1+1, and you should be blocking outgoing port 25 from any machine except your mail server! – James – 2010-03-16T22:13:39.220
@James, I don't know if I agree with that rule - a lot of companies permit personal mail accounts (or at the very least, don't have a policy denying it). This kills sending out through anything but the company server. It's just as annoying when ISP's deny you access port 25 access to anywhere off their network. – Mark Henderson – 2010-03-16T22:46:17.600
1Annoying, for sure, but I'd rather be a little bit annoying than have spam coming from my network. I don't have a problem with personal email accounts - they can either relay through the corporate server or use port 587 to their provider's SMTP server – James – 2010-03-16T23:14:39.473
After you've sealed off port 25 except for your mail servers, check them to ensure they are neither infected nor acting as a relay. Also, get back to the ISP and try to get more info, like source IP trail. – mpez0 – 2010-03-17T01:43:37.737