Announcement

Collapse
No announcement yet.

HIVELOCITY VENTURES CORP Spamming

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • HIVELOCITY VENTURES CORP Spamming

    I've got problem with HIVELOCITY VENTURES CORP. I think they send hundreds of emails from my server. Symantec doesn't seem to nitice anything, but network monitor shows 69.46.19.47 sending emails away every couple of minutes from my server. I am running SBS2003 with Norton Antivirus Corporate 10, Add-aware and recently I have installed Spyware Doctor. Nothing is being detected

    That's the list of my processes:

    wmic:root\cli>path win32_process get Caption,ExecutablePath
    Caption ExecutablePath
    System Idle Process
    System
    smss.exe
    csrss.exe C:\WINDOWS\system32\csrss.exe
    winlogon.exe C:\WINDOWS\system32\winlogon.exe
    services.exe C:\WINDOWS\system32\services.exe
    lsass.exe C:\WINDOWS\system32\lsass.exe
    svchost.exe C:\WINDOWS\system32\svchost.exe
    svchost.exe C:\WINDOWS\system32\svchost.exe
    svchost.exe C:\WINDOWS\system32\svchost.exe
    svchost.exe C:\WINDOWS\system32\svchost.exe
    ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    svchost.exe C:\WINDOWS\System32\svchost.exe
    dllhost.exe C:\WINDOWS\system32\dllhost.exe
    schedul2.exe C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    DefWatch.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe
    dfssvc.exe C:\WINDOWS\system32\Dfssvc.exe
    dns.exe C:\WINDOWS\System32\dns.exe
    svchost.exe C:\WINDOWS\System32\svchost.exe
    mestrxsvc.exe C:\Program Files\GFI\MailEssentials\mestrxsvc.exe
    inetinfo.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe
    pds.exe C:\WINDOWS\system32\CBA\pds.exe
    llssrv.exe C:\WINDOWS\System32\llssrv.exe
    MsDtsSrvr.exe C:\Program Files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe
    msmdsrv.exe C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
    sqlservr.exe C:\Program Files\Microsoft SQL Server\MSSQL.4\MSSQL\Binn\sqlservr.exe
    sqlservr.exe C:\Program Files\Microsoft SQL Server\MSSQL$BLUECOAT\Binn\sqlservr.exe
    sqlservr.exe C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlservr.exe
    sqlservr.exe C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe
    ntfrs.exe C:\WINDOWS\system32\ntfrs.exe
    svchost.exe C:\WINDOWS\system32\svchost.exe
    ReportingServicesService.exe C:\Program Files\Microsoft SQL Server\MSSQL.1\Reporting Services\ReportServer\bin\ReportingServicesService .exe
    sbscrexe.exe C:\WINDOWS\System32\sbscrexe.exe
    OWSTIMER.EXE C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\60\BIN\OWSTIMER.EXE
    sqlagent.EXE C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlagent.EXE
    sqlbrowser.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    Rtvscan.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    svchost.exe C:\WINDOWS\System32\svchost.exe
    upsd.exe C:\Program Files\Belkin Bulldog Plus\upsd.exe
    wblogsvc.exe C:\Program Files\Microsoft Windows Small Business Server\monitoring\WbLogSvc.exe
    wins.exe C:\WINDOWS\System32\wins.exe
    bcserver.exe C:\FinPlan\Program\bcserver.exe
    tcpsvcs.exe C:\WINDOWS\system32\tcpsvcs.exe
    pop2exch.exe C:\Program Files\GFI\MailEssentials\pop2exch.exe
    HNDLRSVC.EXE C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
    MSGSYS.EXE C:\WINDOWS\system32\MsgSys.EXE
    IAO.EXE C:\WINDOWS\system32\ams_ii\iao.exe
    XFR.EXE C:\WINDOWS\system32\cba\xfr.exe
    exmgmt.exe C:\Program Files\Exchsrvr\bin\exmgmt.exe
    mad.exe C:\Program Files\Exchsrvr\bin\mad.exe
    msftesql.exe C:\Program Files\Microsoft SQL Server\MSSQL.4\MSSQL\Binn\msftesql.exe
    mqsvc.exe C:\WINDOWS\system32\mqsvc.exe
    mssearch.exe C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
    SQLAGENT90.EXE C:\Program Files\Microsoft SQL Server\MSSQL.4\MSSQL\Binn\SQLAGENT90.EXE
    svchost.exe C:\WINDOWS\System32\svchost.exe
    ListServ.exe C:\Program Files\GFI\MailEssentials\ListServ.exe
    store.exe C:\Program Files\Exchsrvr\bin\store.exe
    emsmta.exe C:\Program Files\Exchsrvr\bin\emsmta.exe
    wmiprvse.exe C:\WINDOWS\system32\wbem\wmiprvse.exe
    wmiprvse.exe C:\WINDOWS\system32\wbem\wmiprvse.exe
    svchost.exe C:\WINDOWS\System32\svchost.exe
    dllhost.exe C:\WINDOWS\system32\dllhost.exe
    msdtc.exe C:\WINDOWS\system32\msdtc.exe
    alg.exe C:\WINDOWS\System32\alg.exe
    w3wp.exe c:\windows\system32\inetsrv\w3wp.exe
    w3wp.exe c:\windows\system32\inetsrv\w3wp.exe
    svcntaux.exe C:\Program Files\Spyware Doctor\svcntaux.exe
    swdsvc.exe C:\Program Files\Spyware Doctor\swdsvc.exe
    FileZilla Server.exe C:\Program Files\FileZilla Server\FileZilla Server.exe
    csrss.exe C:\WINDOWS\system32\csrss.exe
    winlogon.exe C:\WINDOWS\system32\winlogon.exe
    rdpclip.exe C:\WINDOWS\system32\rdpclip.exe
    explorer.exe C:\WINDOWS\Explorer.EXE
    TrueImageMonitor.exe C:\Program Files\Acronis\TrueImageEnterpriseServer\TrueImageM onitor.exe
    TimounterMonitor.exe C:\Program Files\Acronis\TrueImageEnterpriseServer\TimounterM onitor.exe
    schedhlp.exe C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
    PPScheduler.exe C:\Program Files\ScanSoft\PaperPort\PPScheduler.exe
    ccApp.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    FileZilla Server Interface.exe C:\Program Files\FileZilla Server\FileZilla Server Interface.exe
    SDTrayApp.exe C:\Program Files\Spyware Doctor\SDTrayApp.exe
    ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
    wuauclt.exe C:\WINDOWS\system32\wuauclt.exe
    CV.exe C:\Program Files\CommView\CV.exe
    MUPS.exe C:\Program Files\Belkin Bulldog Plus\MUPS.exe
    bcservman.exe C:\FinPlan\Program\bcservman.exe
    sqlmangr.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    Back2zip.exe C:\Program Files\Back2zip\Back2zip.exe
    vncviewer.exe C:\Program Files\RealVNC\VNC4\vncviewer.exe
    spoolsv.exe C:\WINDOWS\system32\spoolsv.exe
    fxssvc.exe C:\WINDOWS\system32\fxssvc.exe
    cmd.exe C:\WINDOWS\system32\cmd.exe
    wmic.exe C:\WINDOWS\System32\Wbem\wmic.exe


    These are the logs from the Network Monitor:

    16/04/2007 17:21:32 192.168.1.1: 69.46.19.47/spm/s_report.php?task=3116&id=377512215670&errors[0]=24&errors[554]=2&errors[702]=13&err ...
    16/04/2007 17:21:33 192.168.1.1: 69.46.19.47/spm/s_alive.php?id=377512215670&tick=550380671&ver=206 &smtp=ok
    16/04/2007 17:21:33 192.168.1.1: 69.46.19.47/spm/s_tasks.php?id=377512215670&ver=206


    My modem gets blocked every half an hour. When I log into the modem (2-WireŽ 2700 HG) it says

    Excessive sessions warning
    Error: The following devices on your network are using a large number of internet sessions.

    server01

    The most likely cause of this is a "blaster" type virus and we strongly recommend the devices above be scanned using anti-virus software

    Large number of sessions may also be created by applications or games installed on the device. If your believe this to be the case select the box below to not be notified again.

    If you continue to see this page after closing all the open web browser windows please restart your computer.

    Any ideas, please?

  • #2
    Re: HIVELOCITY VENTURES CORP Spamming

    You're running Exchange or SMPT? Is relaying enabled on your server? Do you know how to check for that?
    VCDX3 #34, VCDX4, VCDX5, VCAP4-DCA #14, VCAP4-DCD #35, VCAP5-DCD, VCPx4, vEXPERTx4, MCSEx3, MCSAx2, MCP, CCAx2, A+
    boche.net - VMware Virtualization Evangelist
    My advice has no warranties. Follow at your own risk.

    Comment


    • #3
      Re: HIVELOCITY VENTURES CORP Spamming

      That's the screen from Exchange Manager. In addittion I wanna say that we've got plenty of guys around the world using our Echange through pop3



      As you noticed I have not much experience in Exchange. We've just been having it for 2 months.

      Thanks!

      Comment


      • #4
        Re: HIVELOCITY VENTURES CORP Spamming

        and that's the Authentication screent from Acces tab if it helps



        Thanx!

        Comment


        • #5
          Re: HIVELOCITY VENTURES CORP Spamming

          Is your exchange server set to NOT relay??

          Have a look at this link

          http://www.petri.com/preventing_exch...m_relaying.htm

          Have you virus scanned every machine that connects to your server??

          Have you virus scanned your server??

          Have you checked all you machines for spyware??

          BTW i'd disconnct your modem from the internet until this issue is resolved.

          Comment


          • #6
            Re: HIVELOCITY VENTURES CORP Spamming

            I have all the machines and the server being scanned every day, sometimes twice a day. Two or three spyware software installed on every client...

            Can I block HIVELOCITY (69.46.19.47) using Exchange relaying? Or how can I set the appriopriate setting to avoid using my SMTP for spamming...

            Comment


            • #7
              Re: HIVELOCITY VENTURES CORP Spamming

              Originally posted by kulatowski View Post
              I have all the machines and the server being scanned every day, sometimes twice a day. Two or three spyware software installed on every client...

              Can I block HIVELOCITY (69.46.19.47) using Exchange relaying? Or how can I set the appriopriate setting to avoid using my SMTP for spamming...
              Did you have a look at the link i posted??

              This will show you how to setup your server NOT to relay/spam.

              Comment


              • #8
                Re: HIVELOCITY VENTURES CORP Spamming

                I unticked Anonymous Access and left the Basic Authentication with default domain and Integrated Windows Authentication ticked. Restarted SMTP service and Exchange services. Shall change anything in Relay Restriction settings? I posted the screen this morning. As I mentioned I am not really exeperienced in Exchange...

                Thanks

                Comment


                • #9
                  Re: HIVELOCITY VENTURES CORP Spamming

                  I still get records in Network Monitor

                  http://69.46.19.47/spm/s_alive.php?i...er=206&smtp=ok
                  http://69.46.19.47/spm/s_report.php?...2215670&errors[0]=24&errors[702]=11&errors[703]=11&errors[709]=3&errors[710]=2&errors[712]=1&errors[716]=1&errors[718]=3&errors[719]=44

                  192.168.1.1 is my Wanm and 192.168.1.2 is my LAN

                  thanks

                  Comment


                  • #10
                    Re: HIVELOCITY VENTURES CORP Spamming

                    Originally posted by kulatowski View Post
                    I unticked Anonymous Access and left the Basic Authentication with default domain and Integrated Windows Authentication ticked.
                    You should only do this if you don't need to receive external email.

                    I suspect that one of your LAN computers is compromised and is sending out tons of messages using Exchange as a relay. The computers in your domain can do this because they can successfully authenticate.
                    Regards,
                    Jeremy

                    Network Consultant/Engineer
                    Baltimore - Washington area and beyond
                    www.gma-cpa.com

                    Comment


                    • #11
                      Re: HIVELOCITY VENTURES CORP Spamming

                      Originally posted by wullieb1 View Post
                      Have you virus scanned every machine that connects to your server??

                      Have you virus scanned your server??

                      Have you checked all you machines for spyware??
                      Which is why i asked the question earlier.

                      Comment


                      • #12
                        Re: HIVELOCITY VENTURES CORP Spamming

                        I installed firewalls on client machines and the spyware was blocked. My IT guy strongly adviced against this saying that Windows in-built firewall is enough. He wants me to uninstall firewalls now. What shall I do?

                        In fact I am having a bit of a problem with the configuration of firewalls, but I do not get blacklisted anymore.

                        thanks!

                        Comment


                        • #13
                          Re: HIVELOCITY VENTURES CORP Spamming

                          Maybe before doing anything here, the problem posted here should be rectified first. http://forums.petri.com/showthread.php?t=15380
                          1 1 was a racehorse.
                          2 2 was 1 2.
                          1 1 1 1 race 1 day,
                          2 2 1 1 2

                          Comment


                          • #14
                            Re: HIVELOCITY VENTURES CORP Spamming

                            Originally posted by kulatowski View Post
                            I installed firewalls on client machines and the spyware was blocked. My IT guy strongly adviced against this saying that Windows in-built firewall is enough. He wants me to uninstall firewalls now. What shall I do?

                            In fact I am having a bit of a problem with the configuration of firewalls, but I do not get blacklisted anymore.

                            thanks!
                            You need to get rid of the spyware infection first and foremost.

                            Comment


                            • #15
                              Re: HIVELOCITY VENTURES CORP Spamming

                              I got rid of everything. Now I am removing my IP from blacklists. Shall I uninstall firewalls?

                              Comment

                              Working...
                              X