topic Re: Need help fast!!! Trojan network scanner needed in Operating System - Microsoft

Need help fast!!! Trojan network scanner needed

Ronald Postma — Thu, 08 Jul 2004 08:07:17 GMT

Hi folks,
I need a program that can scan the entire network for trojans. So one program that can scan al pc's and servers.
To install a program on each pc is a little bit tu much work.

Situation.
Our ISP thinks we have a trojan on our network that sends spam and blocked port 25 so we can not send e-mail, very frustrating.
We can not find any trojans. The ISP does not want to release the block easyly, so I want soee proof that our network is trojan/virusfree.

We have a 3com firewall, whit only the nessesary ports open en Notron Cooperate virusserver.

Hope anyone can point me to a program that can scan for trojans, so I have some proof (logfile) for the ISP,

Regards,
Ronald

Re: Need help fast!!! Trojan network scanner needed

Ron Kinner — Thu, 08 Jul 2004 08:40:58 GMT

Unless you happen to know what port the trojan opens (assuming it is a remote control trojan and not just an emailer) a scan would be difficult to interpret but if you want to try then nmap at:

http://www.insecure.org/nmap/

or

http://netsecurity.about.com/cs/hackertools/a/aafreeportscan.htm

If it were my network I would install snort
http://www.snort.org/
on a pc and have it monitor the traffic on the port going to the ISP. It would be a simple matter to have it look for traffic to port 25 and tell you what PC's are doing this.

Could also be that you have an open mail relay somewhere in your system. This is actually pretty common. Either poorly configured and a spammer found it or a system which got hacked, had the mail relay turned on and then the hacker cleaned up his traces. Problem is it need not listen on port 25. The hacker/spammer can use a different port of his/her choice. This would not show as trojan or virus.

Do you not have a firewall on this large network? Easy enough to ask the firewall (or router) to block port 25 outgoing and tell you who sent it.

Ron

Re: Need help fast!!! Trojan network scanner needed

Ronald Postma — Thu, 08 Jul 2004 08:57:01 GMT

Hi Ron,
Tnx for the quick reply.
I do not even think there is a trojan on the network, so I do not know a port.
Our ISP got complains from theire costumers that costumers got spam from our IP-adres.
You probebly know that it is easy to send send mail with another IP, so some spammers just used our IP.

Why do I have to block port 25 outgoing, then the exchangeserver can not send any e-mail or am I wrong?

Actualy I only need some proof that nothing is wrong to send to the ISP, so they will lift the block.

I look into the links and get back to you,

Regards,
Ronald

Re: Need help fast!!! Trojan network scanner needed

Ron Kinner — Thu, 08 Jul 2004 09:26:34 GMT

Since you are blocked anyway, I don't see why it would be a problem to block the same port on the firewall to let it log attempts for a while.

I'm not up on 3-Com firewalls but on a Cisco it is easy to ask the firewall to block or pass a packet to a particular port and to log the packet's source and destination. In fact it should be possible to only allow packets from your mail server to go out to port 25 and to block everyone else and to tell you about all the blocked attempts. That would quickly find the trojan if it exists.

I'm beginning to wonder if your own mail server has been told to only relay packets from members of your local network and you forgot to exclude the firewall's IP (he will NAT any incoming packets so they will look like a local packet.)

Ron

Re: Need help fast!!! Trojan network scanner needed

Ronald Postma — Thu, 08 Jul 2004 10:14:11 GMT

What scans I do I can not find anything wrong,
My supirior does not want me to put more effort in finding what probebly is not there.

Now we only presuring the ISP to lift the block.

Tnx for your help,
Regards,
Ronald