Help - Search - Members - Calendar
Full Version: Zombie Spam Server
BleepingComputer.com > Security > AntiVirus, Firewall and Privacy Products and Protection Methods
   
BanditFlyer
Dec 15 2005, 01:11 PM
I have an actual server that looks like it's trying to send spam. It is running Win2K Server edition. The machine is behind a firewall and has Symantec AV. It looks like SAV is keeping the outgoing messages from going out.

I have been running kaspersky for about the past 3.5 hours(this is a server, so it's going to take a while), and it hasn't found anything substantial yet - only a few email viruses in some old PST files backed up to a shared drive years ago.

I can't figure out how to attach a screen capture of the Symantec AV messages that pup-up, so for now I will just post the text of those messages:

"Your email mesage to
airmj2313@yahoo.com.tw
with the subject of
<bunch of strange characters I don't want to try to replicate on my keyboard>
was unable to be sent because the connection to the mail server was interrupted.Please open your emaill client and resend the message from the Sent Messages folder."

Anyone know of any scans that would find (and kill) zombie email server programs?
stidyup
Dec 16 2005, 03:43 AM
If you think you are infected submit a hijackthis log to the HJT Forum.

How to submit a hijackthis log

Download Hijackthis

Try running the following from safe mode (Getting to safe-mode) Sysclean you'll also need the virus template file from here lpt***.zip remember to extract the contents of the zip file into the same folder as Sysclean.com

or

DrWeb CureIT

or

KASFX which is powered by the Kaspersky AV engine, you will need internet access to update it. If you haven't got net access in safe mode, update it before you use it.

If your good with the command line also try Sophos Command Line scanner this command will scan all of your hdd's SAV32CLI.EXE -F -di -remove -dn -mbr -all -zip -p=avscanlog.txt and give you a log file to review afterwards.
BanditFlyer
Dec 16 2005, 01:15 PM
EEK!!

Booting a mission critical server to safe mode is a scary proposition!!!

I was also wondering if it is OK to use the same anti-malware apps on a server - spybot s&d, Ad-aware, HJT, etc. - as you would normally use on a desktop.

To update you on the status of this problem, for now I have a BandAid over that gaping wound - I shut off SMTP services. Tech support(paid tech-support) turned on SMTP for some reason, and that's when the problem started.

Good to know that the server has some malware on it though. I never would have know that without tech-support turning on SMTP. Unfortunately, this site is often better than paid tech-support.

Any ideas on how to run other malware scans on a mission critical server?
quietman7
Dec 16 2005, 03:09 PM
Ad-Aware SE Enterprise Edition 2005
Trend Micro Anti-Spyware Enterprise Edition
Anti-Spyware - Enterprise Edition by McAfee
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2008 Invision Power Services, Inc.