---- Original Message -----
From: "Erik Thackston" <ethackstonINTERLIANT.COM>
To: <FOCUS-MSSECURITYFOCUS.COM>
Sent: Friday, March 09, 2001 10:24 PM
Subject: SMTP relay

> To ALL.
> I have a issue with a spammer. Basically, I'm running IIS 5.0 virtual
> server and the smtp service has been shutdown. All known executables and
> programs are being audited and so far nothing has matched up as far as
time
> frames when spam is going out. I was wondering if there is anyone out
there
> that may have faced a simlar situation before.
> I've been using windump but I feel that my knowledge of it's potential is
> not known to it's fullest extent.
> What I believe is happening is that the user is uploading an exe or perl
> mod and then removing it when he is done. Anyone have any thoughts or
other
> apps that might be usefull.
>
> Erik
>

If you have shutted down any of your mail daemons, maybe that your server
have been uploaded another mailer without your permission.
I think the 1st step should be making a telnet connection on your server on
port 25, doing this you can immediately know what kind of daemon has been
installed. Looking for a certain program should be easier then...
Hope it will help you, let me know if you need more explains...
Bye
Enrico Comoglio

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]