Unexplained SMTP Traffice via random TCP ports

[Myke 0]

We're experiencing unexplained SMTP traffic originating from one of our Windows XP SP2 PCs on our network. From our monitoring the traffic, we've found that a random TCP port (usually starting in the 2100s and up to the 4300s, incrementing each time) is opened and SMTP traffic attempts to go outbound. We are not experiencing any unusual inbound traffic, though. About 30 seconds later, another TCP port (the number is slightly higher) is opened and attempts to do the same thing. After almost one minute of being opened, the port closes. This is continuously occuring while the PC is turned on and repeats each day.

 

All virus definitions are completely updated and the PC has been scanned for viruses, which have resulted with no detections. Many have suggested that it is a variant of the Sober virus, which it is not, as we have manually scanned the registry settings and such. We have also scanned the PC for spyware using mutliple scanning programs. All unexplained outbound SMTP traffic is pointing to the same IP address (which resides in Texas). It almost seems like the PC is being used as a zombie in a DoS attack, but we have not been able to target the origin.

 

If anyone has any information that would relate to this incident, it would be greatly appreciated. Thanks in advance!

[Edited by Myke on 2005-05-25 14:34:52]

 

[jmmijo 1]

This could be a zombie machine, however, have you also included in your arsenal of tools any anti-spyware ?!?

 

I personally use the following suite of tools, Microsoft anti-Spyware BETA, Spybot Search & Destroy and AdAware PE along with NAV 2005.

 

I'm thinking this is some malware that was installed on that machine via some website.

[Wilhelmus 1]

Take the system off from the network and scan it with tools suggested by jmmijo. And Hijack this' log file + Google can help to find out what process(es) is/are causing this. And try Stinger.

[ScinteX 0]

Also try TaskInfo - this might give you a clue as to the running process and where it lives in the PC.

 

Also if you install a firewall (just for the time being), it might be nice enough to say "XXXXX program is trying to access the internet". Thats how you can find out the process name (which might work).....

 

Are you sure that it SMTP and not SNTP? SNTP might be running off someplace to update your clock every 30 seconds (although it does use UDP, not TCP and also tends to use port 123) - its still an option though.

 

S

[Myke 0]

We've run two seperate AntiSpyware programs, which have found nothing suspicious. We also have a personal firewall and network firewall running, which have not caught anything either.

 

I double checked the log, and yes, it is SMTP traffic and not SNTP. I have also used HijackThis and Fport 2.0, but have not turned up anything either.

 

This has been going on for several months and we're getting kind of worried here. Thanks again for everyone's help so far. It's greatly appreciated

[jmmijo 1]

Well you could look at the offending machine itself and see if there are any extra services running via the MMC.

 

Also, did somebody on this workstation setup any kind of POP2/SMTP server service perhaps ?!?

[Myke 0]

Yeah, we've checked the services and have found nothing that would indicate an SMTP server. The PC itself has not had an SMTP/POP2 server installed/running on it. We have, however, found some random services that were left running from previous programs that were installed, but those services have been disabled/removed from the system.

[Myke 0]

Found some more information that might help anyone who is looking for a solution with this.

 

Our ISA server claims that the outbound traffice is SMTP. After performing an Fport and other various scanning programs, the local machine claims that the open ports are UPD and TCP, starting with 1100 and rising until the machine reboots. Once the system is turned on again, the process starts opening the ports at 1100.

 

Hope this aids someone in helping me find an answer to this. Thanks again for the help thus far.