+BudMan MVC Posted August 1, 2016 MVC Share Posted August 1, 2016 ^ all very true.. In that case shut down exchange.. Any process ID sending email would be BAD, and you would kill that process find out how its loading, etc. Link to comment Share on other sites More sharing options...
sc302 Veteran Posted August 1, 2016 Veteran Share Posted August 1, 2016 honestly the best solution would be to restore or recreate the server from backup or from scratch. It may be less time consuming in the long run. +John Teacake and Danielx64 2 Share Link to comment Share on other sites More sharing options...
Bryan R. Posted August 1, 2016 Author Share Posted August 1, 2016 16 minutes ago, sc302 said: honestly the best solution would be to restore or recreate the server from backup or from scratch. It may be less time consuming in the long run. If you look back, I also mentioned I tried doing a netstat to one those source ports, 436xx. Nothing came up though. I suspected that the process would start, make a bunch of connections within a second, then disappear. Link to comment Share on other sites More sharing options...
sc302 Veteran Posted August 1, 2016 Veteran Share Posted August 1, 2016 And if you understand the last post on the first page I made, netstat won't work. Netstat captures what is happening at time of running the command. You need an ongoing log of what happened in the past and what is currently running. If anything, procmon would be the proper tool to use. if you were to use netstat you would have to run that command every 5 seconds and put it into a log file and try to compare the different processes running within those 5 second intervals to attempt to figure out what process it is. Dealing with worms in the past, they will jump processes...you kill the one host process it will startup another completely different host process....it will keep doing this and you will never know what file or dll causing it is because netstat doesn't dig deep enough to inform you of the underlining files/programs that are running. Using netstat for this is like trying to use a fly swatter to catch and kill bed bugs. Link to comment Share on other sites More sharing options...
+BudMan MVC Posted August 2, 2016 MVC Share Posted August 2, 2016 Sending email takes longer than 5 seconds. While its prob true what you saw in that program trying to go back after the fact and see what process still had something open prob wouldn't work. And from your statement about random ports, you were prob looking at the at the output wrong looking for destination to those random ports.. What you should of been looking for is processes making connections to destination port 25. This is the only way to send email.. Its not sending email to some server and having that email server send so it has to use port 25, that is how mail moves about the internet from domain to domain. So looking at netstat for connections to 25 would of shown you the process. Now its is true what sc302 says this process might jump around and look like a different process. But it would of shown you what was open at the time of the command, and that could of given you clues to what to look for. Your not talking suxnet here, most of these things are very badly written.. Link to comment Share on other sites More sharing options...
Bryan R. Posted August 2, 2016 Author Share Posted August 2, 2016 Thanks for the clarification guys. Postmortem is always easier and I don't get much practice for this level of network analysts in the real world SMB. Link to comment Share on other sites More sharing options...
sc302 Veteran Posted August 3, 2016 Veteran Share Posted August 3, 2016 On 8/1/2016 at 9:38 PM, Bryan R. said: Thanks for the clarification guys. Postmortem is always easier and I don't get much practice for this level of network analysts in the real world SMB. Working for an MSP in multiple small to medium business environments, you wear a fire suit when you walk in the doors because there is always a fire to put out. On the job training/learning happens daily and sometimes hourly. Danielx64 1 Share Link to comment Share on other sites More sharing options...
Danielx64 Posted August 4, 2016 Share Posted August 4, 2016 On 8/2/2016 at 6:13 AM, sc302 said: honestly the best solution would be to restore or recreate the server from backup or from scratch. It may be less time consuming in the long run. Adding to this, you don't know what else may be lerking in the server waiting for a set time before it goes off. Link to comment Share on other sites More sharing options...
Danielx64 Posted August 4, 2016 Share Posted August 4, 2016 3 hours ago, sc302 said: Working for an MSP in multiple small to medium business environments, you wear a fire suit when you walk in the doors because there is always a fire to put out. On the job training/learning happens daily and sometimes hourly. Link to comment Share on other sites More sharing options...
sc302 Veteran Posted August 4, 2016 Veteran Share Posted August 4, 2016 Yea I have walked into a few of those. I tripped on one of those cables and powered down the phone system once. The phone system was in the middle of the floor. Link to comment Share on other sites More sharing options...
BinaryData Posted August 5, 2016 Share Posted August 5, 2016 Personally, I would've consulted BudMan/sc302 on nuking the server. You don't know whats on there, good or bad. It feels like a giant clusterfuk waiting to happen. Link to comment Share on other sites More sharing options...
Recommended Posts