Port 25 violation

[flylikeaneagle]

I have a small home wireless network, and recently had Comcast turn off port 25 on my cable modem for supposed spam violation. On the wireless side, I run an access list to limit access to my network. The other 5 devices are hard wired.

I have 6 computers in my household and have run AVG on all 6 with no errors reported. I also run Microsoft Antispyware on all devices with no errors reported. At Comcast's requested, downleaded Stinger and ran it on all 6 devices with no problems.

Comcast offers free Mcafee suite free, so I downloaded and installed
Mcafee Antivirus
Mcafee Privacy
Mcafee My Security Service
Mcafee Personal Firewall

Again they all ran clean.

I called Comcast and they turned port 25 back on and could not tell me what the issue was.

Looking for some help in diagnosing what the problem is.

Any help would be appreciated.

 

[mechBgon]

From your description of it all, it sounds like one of the following:

1) one or more computers are infected with something that neither McAfee nor AVG detect (try F-Secure BlackLight to check for rootkits)

2) all your computers are clean, but someone else has managed to piggyback onto your router despite your puny access list (enable at least WEP encryption, preferably WPA if the router and PC support it)

3) one or more of your computers, or a piece of network equipment such as your router, is sending large amounts of SMTP traffic for some alternate reason (sending logs or whatnot)

4) Comcast is smokin' crack

 

[imported_LoKe]

Should run through this if you haven't done so. Should clean your system up pretty good.

 

[imported_LoKe]

Originally posted by: mechBgon
From your description of it all, it sounds like one of the following:

2) all your computers are clean, but someone else has managed to piggyback onto your router despite your puny access list (enable at least WEP encryption, preferably WPA if the router and PC support it)

4) Comcast is smokin' crack

Those sound pretty likely.

Question to OP, is your wireless network encrypted?

 

[flylikeaneagle]

I am currently not running encrypted. I live in an older residental neighborhood.
I periodically look at the attached devices on my router (2-3 times per day at different times of the day) and have never noticed any unknown user in my attched device list.

I am also running a static IP address and have dhcp turned off.

 

[mechBgon]

Originally posted by: flylikeaneagle
I am currently not running encrypted. I live in an older residental neighborhood.
I periodically look at the attached devices on my router (2-3 times per day at different times of the day) and have never noticed any unknown user in my attched device list.

I am also running a static IP address and have dhcp turned off.

If someone spoofs the MAC address of one of the authorized devices, then naturally their unauthorized device would appear to be one of your own. I could be wearing my tinfoil deflector beanie too tight again, but I'd add encryption.

 

[Atheus]

What kind of router do you have? It would be useful to run a packet sniffer to see if one of your machines really is producing SMTP trafiic.

 

[flylikeaneagle]

I have a netgear....

 

[flylikeaneagle]

I also recently reflashed my router to the newest version when the problems were brought to my attention last week by Comcast.

 

[dclive]

Originally posted by: flylikeaneagle
I also recently reflashed my router to the newest version when the problems were brought to my attention last week by Comcast.

Well, an easy, quick solution is simply to turn on WPA2. (You can get XP to support this with a simple update from support.microsoft.com.) It should take all of 20 minutes or so for all of your wireless machines, and would completely remove, for the most part, any chance of someone hacking your system via the wireless interface.

Then you only have to worry about what programs people are running on their machines. Port 25 is SMTP relays, right?

 

[flylikeaneagle]

I turned on 128 bit encryption on the router.
I was hesitant, since the only device that regularly uses wireless (that I am aware of ) is on old laptop in my kitchen.

I do not think it was an issue with the wireless though, but that crosses it of the list of potential problems.

Is it possible someone was taking control of a PC on my network and forwarding mail through it?

I am grasping at straws.

 

[mechBgon]

Is it possible someone was taking control of a PC on my network and forwarding mail through it?

It could be the case, yeah. Did you try the F-Secure Blacklight rootkit detector yet? It's small, and quick to run.

Other than that, I could also suggest you try Kaspersky's free online antivirus scanner, since they're highly-regarded for strong detection capabilites. http://usa.kaspersky.com/services/free-virus-scanner.php

You could also post HijackThis logs from the six computers for analysis, and heave them into http://hijackthis.de for analysis yourself. If you have a rootkit, then it won't likely find whatever is being hidden, but could still be useful. HijackThis.de has a download link for HJT if you want to try that.

 

[RebateMonger]

Originally posted by: mechBgon
I could be wearing my tinfoil deflector beanie too tight again, but I'd add encryption.

Additionally, most people prefer that strangers not be able to see what they type when giving their usernames/passwords on their email and banking accounts. Without encryption, anything you type is instantly readable by anybody in antenna range, if they care to read it.

Now that you've enabled encryption, I'd recommend changing any passwords that you've ever typed on a wifi connection at your home.

 

[flylikeaneagle]

My daughters machine is the machine that I believe is the problem. This is a machine that has the current XP patches etc....

AVS caught and supposedly cleared a Virus (did not record which tpye) about two weeks ago. The warnings from Comcast came shortly after. After Comcast reported the issue I removed AVG and Virus vault on all machines, and downloaded Mcafee on all machines which is free from Comcast.

When I was looking at the Personal Firewall program on her machine, it was showing almost 800 attempted inbound access, while all other machines were showing none.
Upon further investigation, when looking at traffic monitor built into Mcafee it was showing that there was a Windows NT Logon application was running. When I checked that program it showed 25 IP's currently attached to it.

There is a trace program available and it showed there were from all over the globe.
India, Bejing, Russia, .etc.......

I manually blocked all of the IP's that were attached.

I disabled the Windows NT logon applicaiton, access to the internet. I also shutdown port 25 on her machine.

I guess I am wonderng why none of the programs I am using caught this flaw.

I have only had the mcafee running on her machine for 3 days total, and it showed

334Meg inbound and 2.7 gig outbound.

Meanwhile, my machine which I use pretty heavily shows

227MB in bound
15MB outbound.

I have since download Black light on her machine and it runs clean.
I then downloaded Kaspersky on her machine also.

I found the following on her machine that Mcafee and AVG did not.

Trojan.WIN32.CRYPT.O
Exploit HTML.MHT

After running the Kapersky, it identifys the problem, but I could not find the avenue for removal.

Any help would be appreciated.

 

[RebateMonger]

This is why I don't trust Spyware and Trojan removal programs to completely remove malware infections.. If a client has an infection, my first recommendation is to backup the data (which should be happening anyway), and re-install the Operating System.

Unless you are an absolute expert (and, maybe, not even then), it's REALLY tough to know if everything has been removed. Sure, you can get the obvious popup stuff. But those aren't the dangerous ones. The dangerous ones DON'T make their presence known, because they have a job to do and they don't want to be flashy.

The most effective course of action (and least-time-consuming over the long run):
1) Back up your important data. You SHOULD have backups anyway. Hard drives fail ALL THE TIME.
2) Reinstall your OS and your applications.
3) Install Antivirus and a single active Antispyware application. I recommend MS Antispyware, since it's free and works fairly well. Keep your AV and A-Spyware definitions current.
4) If you are using XP, be SURE to update to SP2 and keep the firewall ON.
5) Create a Limited-Privileges account (Limited User in Windows XP) and USE IT. Do NOT use your computer with an account that has Administrator rights. It's asking for trouble.
6) Learn the rules of safe web surfing so you wont' have any more problems.

For children, you can use tools like
Microsoft's Shared Computer Toolkit for Windows XP
to keep the computer from being contaminated in the future.

 

[mechBgon]

That's my preference too, back up the important stuff and then Drop The Bomb On It. Then you're sure. :evil:

In the future, you may want to give your daughter a Limited user account, rather than a full Admin account. It sounds like you have an above-average ability for learning new security techniques, so give that some thought. mech's brief writeup of Limited accounts.

A Limited account is a strong safety net and reinforcement against lots of kinds of malware that can't put down roots without full Admin power being available. The downside is that many software programs freak out and won't run, or won't run properly, under a Limited account. But you may be able to overcome that; I put some of the easy things to try on this page.

If you aren't ready to nuke the system, then you could uninstall McAfee and install a 30-day trial of Kaspersky Antivirus Personal 5, update it, reboot, then configure it as shown in this movie clip, reboot again and go into Safe Mode, and then do a full scan in Safe Mode. Safe Mode is preferable when you're up against tough stuff.

 

[LiLithTecH]

You may also want to ask Comcast for the offending IP address.
(after all, they are COMCASTIC!)

 

[flylikeaneagle]

I wish they were more responsive.
I e-mail them back after they shut me down, and 5 days later still no response.

I then called the 800 number which request that you e-mail for a quicker response.
They claim 24 hour response, I left my cell phone number, and 36 hours later they called my home number when I was not at home.

The did turn on port 25 again, but shut it down again Saturday morning, which was prior to my discovery of the attached devices on her system.

I located the problem in the registry, but I am not sure I am brave enough to try to to manually remove it.

 

[CrispyFried]

you can Export the registry, then delete the offending item. if something goes wrong, Import it back. Or make a System Restore Point.

that isnt totally foolproof though, even after doing the export and restore point you can bork the system up to the point of not being able to boot.

with the amount of problems that machine seems to have, Id Nuke it and reinstall XP myself though. if that machine is compromised they can attack your other computers on the network from that one.

 

[flylikeaneagle]

Originally posted by: RebateMonger
This is why I don't trust Spyware and Trojan removal programs to completely remove malware infections.. If a client has an infection, my first recommendation is to backup the data (which should be happening anyway), and re-install the Operating System.

Unless you are an absolute expert (and, maybe, not even then), it's REALLY tough to know if everything has been removed. Sure, you can get the obvious popup stuff. But those aren't the dangerous ones. The dangerous ones DON'T make their presence known, because they have a job to do and they don't want to be flashy.

I am thinking about doing what you are describing here, my only fear is that if remove the Mcafee I do that will it enable all of the blocking I have enabled with personal firewall.

Any thoughts?

 

[mechBgon]

If you completely delete and reinstall the entire WindowsXP installation, then yeah, McAfee and everything else will be gone. But so will your pet malware

Since Kaspersky has discovered something that McAfee and AVG didn't, you could also remove the McAfee suite, then install, update and configure a 30-day trial version of Kaspersky AntiVirus Personal 5, then start the system in Safe Mode and scan. I've got a link to the trialware, and configuration details, on this page. After installing, update it, then reboot, then configure it as shown (there's a reason for going in this order). After configuration, now reboot into Safe Mode and then scan.

Kaspersky may already be giving you alerts before you're done with the preparations, but wait until you're in Safe Mode to drop the hammer on the malware.

Do not run Kaspersky in conjunction with the McAfee suite, as they may clash. While you're in Safe Mode, you might also try this, though: text file with instructions. This runs a special manual McAfee scanner with the very latest up-to-the-hour definitions, and with all its optional capabilities switched on. Does not need formal installation, just follow the instructions.

 

[flylikeaneagle]

Thanks, I was reffering to just removing Mcafee and trying to fix it with Kaspersky without an XP reload.
Looking for the easy way out, but probably need to back up her stuff and go with the scorched earth method.

 

[dclive]

The basic problem:
Your daughter ran a program that opens a port, essentially, in your router's firewall (SPI, naturally, so incoming things can come in when welcomed like that). Anyone knowing how to get to the machine or anyone who can get to the IP address she's registering with can get to your machine, so individually blocking IP addresses is a waste of time.

The solution: Format the drive, then keep Windows Defender and an antivirus product running at all times. Remove administrator access from your daughter and anyone else - unless installing new programs.

The problem with even safe-mode scanners nowadays: Intelligent malware can add itself to the safe-mode boot, so that they're running and masking themselves, even in 'just' safe mode. You can go to HKLM/System/CCS/Control/Safeboot and look in there for what would happen in a safe-boot scenario. In short, once you're infected with the worst of these exploits, you're really infected.

 

[Smilin]

once compromised a machine should never again be trusted. Take your chances at home I guess but I come from the enterprise world where you format such things.