Re: what is the spool.log file

Normally you don't find .log files in the system32 folder and I did a Google
search of that file name and came up with nothing that makes it even more
suspicious. I don't know exactly what it means but to me it would be of
concern particularly since it is very large. You could try downloading
handle from SysInternals to see if a process has that file open and that
information would help you determine what is going on. Also check your
security log on that server to see if any suspicious user logons or logon
failures are shown. I would certainly scan the server for malware and
spyware being sure to use the latest definitions for whatever you use.
Hopefully someone is not browsing the internet from that server but if you
can not confirm that no one has you should check for spyware also.

In addition to that I would download TCPView, Autoruns, and Process Explorer
all free from SysInternals. Run them on the server looking for any
unexplained port use, processes, and startup/logon processes. Process
Explorer and Autoruns [greatly enhanced recently for those who have not
tried it in a while] will display the publisher name of an associated
process if it can for the related executable. This can help you identify a
process and help determine if it is legitimate or not. Malware/spyware
usually do not have a publisher name associated with a process though lack
of a name does not necessarily indicate malware. --- Steve

http://www.sysinternals.com/Utilities/ProcessExplorer.html -- Process
Explorer


"Dan" <ddonahue@xxxxxxxxxxxxxxx> wrote in message
news:O8xMi6npGHA.1548@xxxxxxxxxxxxxxxxxxxxxxx
I was trying to free up some space on one of our servers and I saw that the
spool.log file in the system32 folder was the largest file. I looked in the
file and saw lines like these:
Thu Jul 13 07:31:24: ConnectSocket(): Connecting To:
'82.127.76.142':'6667'\n
Thu Jul 13 07:31:24: ConnectSocket(): Connected
Thu Jul 13 07:31:24: --> NICK CAPSULAIRE4\r\n
Thu Jul 13 07:31:24: --> USER [216.37.95.87]' localhost 0.0.0.0
:[216.37.95.87]'\r\n
Thu Jul 13 07:31:24: <-- :ragnaros.fantasy-irc.net NOTICE AUTH :***
Looking up your hostname...
Thu Jul 13 07:31:24: <-- :ragnaros.fantasy-irc.net NOTICE AUTH :*** Found
your hostname
Thu Jul 13 07:31:24: <-- :ragnaros.fantasy-irc.net NOTICE CAPSULAIRE4 :***
You are banned from fantasy-irc.net ([rasur] pas de botnet désolé)
Thu Jul 13 07:31:24: <-- ERROR :Closing Link: CAPSULAIRE4[216.37.75.146]
(User has been banned from fantasy-irc.net ([rasur] pas de botnet désolé))
Thu Jul 13 07:31:26: retline(): recv() Failed! 10038

Is this someone attempting to hack our server? I don't recognize the
ragnaros.fantasy-irc.net website.

Thanks,

Dan



.