Re: [Declude.JunkMail] Need hep - mail server sending out stock reports email

[Matt]

Howard, These are always blended threats.  You were hacked through another mechanism and through that mechanism this file was placed on your system.  There's a 99.9% chance that your server is still hacked and that this program can be placed there again, or might even appear automatically at your next reboot. You are running an insecure version of IMail, and this is the most likely way that you were hacked.  You need to be on 8.22 with the latest hotfix or 9.1 and above. In the mean time, you should firewall your server so that only the minimum necessary ports are open.  This can inhibit the botnet owners from controlling you and it will most likely stop what is going on since they use automation to control their zombies, but that certainly wouldn't mean that you are safe. Once hacked, the best advice is always to reformat and reinstall, plus immediately change all administrator passwords everywhere on your network and break all network shares from the hacked box to others.  Keep a unique password on the hacked box until you have rebuilt it. While it is possible that one could fully remove all elements of a hack, it is neither likely nor safe to assume that you could, and it generally takes more hours to fiddle with things rather than format and rebuild it.  Also, until you upgrade to a non-hackable version, you are at risk of being re-hacked, so there is no sense in rebuilding until then.  The only way to protect an older version of IMail from these exploits is to firewall it and place the SMTP service behind a proxy that won't forward the exploitable commands.  It is of course easier just to upgrade, and at least 8.22 with the latest hotfix is very solid and not that much different from 8.15 on the surface, however Declude will need to be upgraded to version 3 or 4. Sorry for the grim outlook, but it is all good advice. Matt Howard Smith (N.O.R.A.D.) wrote: The file location is C:\WINNT\system32\ssm.exe – 118kb date 02/05/7 2:45     Howard Smith N.O.R.A.D. Inc. P.O. Box 680116 Miami, Florida 33168                  www.norad.com [EMAIL PROTECTED] Office - (305) NETWORK (638-9675) Sales - (786) 206-0045 Fax 1 - (305) 359-5144   Confidentiality Notice: This email message, including any Attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact  [EMAIL PROTECTED] by email and destroy all copies of the original message.     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John T (lists) Sent: Wednesday, February 07, 2007 8:57 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Need hep - mail server sending out stock reports email   Going aGoogling found that the Intel LANDesk uses a file called ssm.exe and there are a couple of programs listed as monitors using it, so be careful before just deleting that file.   Exactly where was the file?   Since Howard is running IMail 8.15 this means that his server has been compromised ala the SMTP vulnerability that is fixed only in 8.22 (patched) and 9.1. So, it is not a virus that would be found by F-prot or Symantec, but a server hijack or comprise.   John T   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Justin Moose Sent: Wednesday, February 07, 2007 3:11 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Need hep - mail server sending out stock reports email   I called Howard on this, but for everyone else’s info, if you are seeing this, look for ssm.exe to be a running process.  I found this on an Imail server that I administer for another company this morning.  The file was showing processing time in the task manager and showed up on the Services list at Security Systems Manager, but the file had a modified date of 2/5/07 and no updated had been done on that server for over a week. Stopping this service stopped the junk messages from going out.   Neither F-prot or Symantec showed this file as a virus; however I did submit it to Symantec for analysis.   Justin Moose Information Technology Manager Sioux Valley Energy DID: (605) 256-1644 Fax: (605) 256-1690 Toll Free: (800) 234 1960   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Howard Smith (N.O.R.A.D.) Sent: Wednesday, February 07, 2007 4:24 PM To: declude.junkmail@declude.com Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [Declude.JunkMail] Need hep - mail server sending out stock reports email   Running  imail  8.15,sniffer and declude  - starting  on 2/6/7 my mail server start sending out the stock reports email , even when I stop the imail smtp process , nothing is in the Imail logs indicating problems . I have ran full scans with frprot  and Symantec .   Need help please  , I have already made the spamcop blacklist     Howard Smith N.O.R.A.D. Inc. P.O. Box 680116 Miami, Florida 33168                  www.norad.com [EMAIL PROTECTED] Office - (305) NETWORK (638-9675) Sales - (786) 206-0045 Fax 1 - (305) 359-5144   Confidentiality Notice: This email message, including any Attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact  [EMAIL PROTECTED] by email and destroy all copies of the original message.     --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.