SMTP Spamming Problem

[HowardMarks]

Hi guys

I wonder if you could help with an issue with my Windows 2000 web server.

I noticed that disk space was being eaten up at an alarming rate, and when I checked there was about 5 gigs of files in the badmail folder. I stopped the smtp service and deleted the files (which took several hours). As soon as the smtp service was restarted, files started getting written to the badmail folder at a rate of about 20 per second. When I checked the contents they are obviously spam.

I have restricted the relay settings for the server and also run pretty much every spyware/virus checker I could find, but nothing is showing up on the scans.
I'm stumped as to how to proceed to remove whatever program is doing this. Any ideas on how to proceed?

Many thanks

Nick

Nick (Webmaster)

http://www.npfx.com

http://www.artswales.org

 

[Davetoo]

Emails to your badmail folder (assuming you're running Exchange?) go there because they don't match any mailboxes in your domain. You can script their removal, but we'll need to know which Exchange version you're running.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[HowardMarks]

Hi Dave

Thanks for your advice, but actually I'm not using Exchange. I only run the SMTP service as a means to send automated emails from a script on my websites.
I think that although a removal script would help a bit in keeping on top of it, the files are getting written at such an alarmingly quick rate that it would have to run every minute or so to keep up with it. I need to find the source of whatever nasty program is spamming emails at the server, which is where I'm stumped.
Any other ideas?

Thanks again
Nick

Nick (Webmaster)

http://www.npfx.com

http://www.artswales.org

 

[WhoKilledKenny]

Use HijackThis to assist with finding the worm on your system.
You can post your log here as well as many forums on the Net.

http://www.download.com/HijackThis/3000-8022_4-10379544.html

Look at the log that gets created and start doing google searches on items you find, running on you system, "That don't look ligit."

FYI- you can delete the items in the Bad mail folder without stopping the SMTP service.

 

[HowardMarks]

Hi, thanks for your advice. I've run HiJack this and the log is as follows:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 09:25:20, on 13/07/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Novosoft\Handy Backup\BackupNetworkCoordinator.exe
C:\Program Files\Prevx2\PXAgent.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\serverappliance\appmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\system32\serverappliance\elementmgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\serverappliance\srvcsurg.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\logon.scr
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Prevx2\PXConsole.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\system32\mmc.exe
E:\Software\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [URL unfurl="true"]http://www.google.co.uk/[/URL]
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe"
O4 - HKCU\..\Run: [Handy Backup] C:\Program Files\Novosoft\Handy Backup\hbagent.exe -logon
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: BGInfo.lnk = C:\Install\BGInfo\Bginfo.exe
O4 - Global Startup: Dienst-Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\System32\browseui.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Handy Backup Service for Administrator - Novosoft LLC - C:\Program Files\Novosoft\Handy Backup\hbagent.exe
O23 - Service: Novosoft Backup Network Coordinator (Novosoft_Backup_Network_Coordinator) - Unknown owner - C:\Program Files\Novosoft\Handy Backup\BackupNetworkCoordinator.exe
O23 - Service: Prevx Agent (PREVXAgent) - Prevx - C:\Program Files\Prevx2\PXAgent.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 4666 bytes

I can't see anything immediately obvious, but perhaps you can spot something? Thanks again

Nick

Nick (Webmaster)

http://www.npfx.com

http://www.artswales.org

 

[WhoKilledKenny]

Ok... now that you have your log, my suggestion would be to start doing google searches on some of the .exe's and .dll's to make sure they are legit. And you are right, from looking at the log I do not see any threats. Another suggestion is to look at the processes running on the server via task mgr. In my experience most email worms I've seen, try to resemble svchost.exe - more commonly they will be named svhost.exe.

Other suggestion would be to run SPYBOT -

http://www.safer-networking.org/en/index.html

and Adaware -

http://www.lavasoftusa.com/products/ad_aware_free.php

 

[intrigrant]

According to the logs SPYBOT is loaded.
Do you really need the SMTP service?

 

[Roadki11]

Might want to try running a rootkit scanner just in case you got something really nasty in there.

http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx

Just my 2 cents,

RoadKi11

 

[countrypaul]

Is this a public webserver - if so is port 25 open to the world? You might want to set your firewall to prevent access to the port if it is open as the problem could simply be that somewhere is trying to use our server as a relay.

 

[HowardMarks]

Thanks to everyone for their advice on this problem. I have now managed to resolve it.
Even though I had actually removed the worm itself, there were still thousands of emails in the queue folder which were getting sent to the badmail folder as soon as the mail server was restarted, making it appear that the virus was still active.

Thanks again
Nick

Nick (Webmaster)

http://www.npfx.com

http://www.artswales.org