Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Bot on SBS2003 Mail Server


  • This topic is locked This topic is locked
4 replies to this topic

#1 Watties

Watties

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Africa
  • Local time:10:21 AM

Posted 14 June 2011 - 01:51 AM

Hi All

I have a SBS 2003 server with SP1. Im using Trend Worry Free Business Advanced as well as a PfSense firewall with rules allowing only sending through the exchange server. Im also running WSUS on this server to get updates out to the client machines. A few weeks ago, I started noticing large numbers of smtp mail queues to some very obscure domains, when I went into them, they looked like typical spam mails, advertising anything from Weight loss to Satellite TV. I contacted my ISP and they told me to rather delete them manually, as they couldnt do anything from their end. So not only am I sending out spam, but Im also getting 1000's of postmaster return mails for all the NDR's. Ive been trying to track down which machine might be the culprit, but its very difficult with 70 users and offices in 3 cities, and guys using handheld devices too. Its very irritating having to go in and manually clean all these mail queues, but the worst of it, is that my server is starting to get listed on SORBS etc. which will prove to be a major train wreck if we're blocked from sending mail. Ive also taken the message ID off one of these spam mails and tried to track it through the message centre, but to no avail - it goes off and searches for sender details, but comes back with nothing.
Ive followed the advice in the Prep Guide and downloaded DDS and gmer, but DDS will not run on the SBS2003 OS. Was also wanting to know if its safe to try and run RUBotted on this server, or whether its not a good idea?

Heres the log from GMER:

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-14 08:39:32
Windows 5.2.3790 Service Pack 1 Harddisk0\DR0 -> \Device\Scsi\cpqcissm1Port2Path0Target4Lun0 HP______ rev.2.68
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1\pwtcqpob.sys


---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Exchsrvr\bin\store.exe[5940] kernel32.dll!TerminateProcess 77E41FE4 5 Bytes JMP 005F3C9A C:\Program Files\Exchsrvr\bin\store.exe (Microsoft MDB Store/Microsoft Corporation)
.text C:\Program Files\Exchsrvr\bin\store.exe[5940] kernel32.dll!ExitProcess 77E53049 5 Bytes JMP 005F3C6B C:\Program Files\Exchsrvr\bin\store.exe (Microsoft MDB Store/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)
AttachedDevice \FileSystem\Fastfat \Fat Dfs.sys (Distributed File System Filter Driver/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\System32\sbscrexe.exe (*** hidden *** ) [AUTO] SBCore <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore@Type 16
Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore@ErrorControl 3
Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore@ImagePath %SystemRoot%\System32\sbscrexe.exe
Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore@DisplayName SBCore Service
Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore@Description Provides core server services.
Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\ControlSet002\Services\SBCore@Type 16
Reg HKLM\SYSTEM\ControlSet002\Services\SBCore@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\SBCore@ErrorControl 3
Reg HKLM\SYSTEM\ControlSet002\Services\SBCore@ImagePath %SystemRoot%\System32\sbscrexe.exe
Reg HKLM\SYSTEM\ControlSet002\Services\SBCore@DisplayName SBCore Service
Reg HKLM\SYSTEM\ControlSet002\Services\SBCore@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\SBCore@Description Provides core server services.
Reg HKLM\SYSTEM\ControlSet002\Services\SBCore\Security (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SBCore\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability@LastAliveUptime 304960

---- EOF - GMER 1.0.15 ---

Any help from you guys would be really appreciated

Watties

BC AdBot (Login to Remove)

 


#2 Watties

Watties
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Africa
  • Local time:10:21 AM

Posted 14 June 2011 - 10:55 PM

Hi All

What would the chances be that this might be an iPhone thats causing this? Ive been trying rather unsuccessfully to find anything relating to this in the IIS logs, but the closest I can get to it is one of my sales guys iPhone synching using OMA.

Watties

#3 Watties

Watties
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Africa
  • Local time:10:21 AM

Posted 14 June 2011 - 11:54 PM

Hi All

I might have stumbled onto a possible solution to my problem. The previous sysadmin created a test account on the server which was still active. When I checked into the exchange event logs, it was being used to authenticate spammers from Brazil to Beijing. Guess it pays to stand back and look at a problem calmly and with a plan in mind. Ive disabled the account, and will watch the queues to see what happens.

Watties

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:21 AM

Posted 22 June 2011 - 07:10 PM

Do you still need help?
Posted Image
m0le is a proud member of UNITE

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:21 AM

Posted 28 June 2011 - 06:36 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users