Re: System Process (PID 8) creates mail

Thanks for the tips. Yeah, if I was good, I would have examined the
logs more closely. But we get some much traffic, I tend to get
overwhelmed. I did finally just use the filter to look at smtp traffic
coming from inside our network.
The firewall can block based on IP and port, but right now my email
server has two NICs, and both are sending email. I need to look at
that, so that all email is coming from the email box only goes out the
email IP. Also, I have a few visitors that need access to their email
server via SMTP, so the service is not blocked on the internet IP.
I will try the process explorer and rootkit revealer. I just could not
see what was driving the System process. There was no app or any path
in Tlist. Addremove was clean, but I will see if I can someone to run
some of the cleaners in Safe mode (was a remote PC).
Walter
Steven L Umbach wrote:
A pristine install is certainly the best solution but that is your call.
What you could do is to try Process Explorer to see more detailed info on
the process and if it is installed as a service and Autoruns to see if you
can see where it is started from. Their RootkitRevealer is something else to
take a look at if you think it may be a root kit compromise. You should also
configure your firewall to block outbound traffic from that computer to
unauthorized ports assuming your firewall has that capability and if it does
not you may want to buy one that can. A firewall that can have a default
block all outbound rule where you define the explicit exceptions for
authorized traffic would heave prevented your IP from being blocked in the
first place and examination of firewall logs could have alerted you to
problems from that and other computers on your network. Also try scanning
your computer in Safe Mode with your malware/spyware applications and try a
dedicated trojan detection and removal program such as Ewido. Look in Add
and Remove programs in case the rough application shows there. --- Steve

http://www.sysinternals.com/Utilities/RootkitRevealer.html
http://www.ewido.net/en/ --- Ewido


<wkrueger@xxxxxxxxx> wrote in message
news:1144103405.215661.154020@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Windows 2000 Pc with SP4.
We had a problem where one of our external IP addresses was being
blocked due to spam coming from it. It was not the mail server address
(which is NAT'd through the firewall), but rather a user's station.
This user has no email app, nor a reason to send SMTP mail. I threw
about 6 tools at it (spybot, adaware, pestscan, installed Norton AV
corp, Norton Spyware, Trend micro AV) and found about 4 viruses and 6
pieces of spyware-malware.

I do not think I can just stop the hunt and format the PC, as the apps
on the box are tricky and expensive to reset - due to proprietary
vendor installs.

I put TCPview on the machine and saw that every 5 minutes, the System
process (PID was 8) was generating email to external addresses. The
ports it was using were somewhat random (1151, 1160, 1241, 1242, 1148)
and the external addresses changed every so often. I was able to block
email from this machine, so the effect has stopped.

That is my tale of woe, now my questions (may be dumb):
Is there an executable that is behind SYSTEM? I do not see an .exe with
that name. Is it a kernel type of app? Is there a way to compare dates
of the 'file' to something from the Windows 2000?

I am concerned that there is still a bug that could somehow reactivate
if the user does something dumb again. The machine is still trying its
mail send, but I am blocking it. Is there a better tool to track the
app that is trying to talk to the outside world? What other ways can
clean the machine?


.

Relevant Pages

  • Re: Strange WAN Activity
    ... > firewall logs for a possible TCP FIN scan that keeps ... > company's intranet server IP and its port 80 across our ... > My firewall is a Sonicwall Pro 200 and I'm running W2K ... It's difficult to be sure without inspecting the web server for signs of ...
    (microsoft.public.win2000.security)
  • Re: Winvnc hack! [25 KB]
    ... came in from a service such as IIS that logs IP address. ... Check your IIS ... Some firewall software such as ... You can also use the NETSTAT -A command that comes with Windows to look at ...
    (microsoft.public.win2000.security)
  • RE: [fw-wiz] Log checking?
    ... tend to evaluate where and what logging is important in a different light. ... I've been happy to analyze a year's worth of firewall denied logs, ... have denied firewall traffic logs or denied logs with any relevant data. ...
    (Firewall-Wizards)
  • Re: Sygate Free PFW
    ... security holes won't be fixed. ... switch to the windows XP SP2 firewall? ... Windows firewall does not inform user when an apps tries to connect ... This arrives, of course, when app is installed in a session where user has ...
    (comp.security.firewalls)
  • Re: anti-virus
    ... tools that load in as the program itself installs. ... However, when my subscription to Symantec's updates for Norton Internet Security came up for renewal, I decided to try less expensive solutions. ... What WinXP's firewall does not do, is protect you from any Trojans or spyware that you might download and install inadvertently. ... it is incumbent upon each and every computer user to learn how to secure his/her own computer. ...
    (microsoft.public.windowsxp.basics)