Author Topic: How do I find this virus?  (Read 711 times)

0 Members and 1 Guest are viewing this topic.

Offline tsc_chazz

  • Newbie
  • *
  • Posts: 5
How do I find this virus?
« on: June 11, 2022, 07:02:47 PM »
Background: I run my own mail server, and I have a small number of clients who use it for their email.

Two of my clients currently are infected with something that hammers my mail server, two or three outgoing mail message attempts per second, as long as they are on line. Sending is not successful because the server requires authentication and the virus does not seem to be able to scrape authentication settings from Thunderbird, but the mail server does drop into rate limiting and prevent real emails from being sent.

I have access to one of the clients, and have not found anything that will remove the virus or even detect it, including Avast Free boot-time scans and everything that could be suggested on the Bleeping Computer forums. A check with a network monitoring tool show that the connections to the mail server are being made from a process with PID 0, the system idle process. The other client has run several Avast clean cycles, both standard and boot-time, and has found and removed several other viruses, but attacks on my server continue.

How do I go about removing this virus, or extracting enough of it so that it can be identified and added to the list of known viruses?

Offline Asyn

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 76213
  • Urlaub/Vacation
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: How do I find this virus?
« Reply #1 on: June 12, 2022, 12:19:24 PM »
-> Avast Hack-Check: https://www.avast.com/hackcheck
W8.1 [x64] - Avast PremSec 22.7.7366.BC [UI.713] - Firefox ESR 91.11 [NS/uBO/PB] - Thunderbird 91.11
Avast-Tools: Secure Browser 103.0 - Cleanup 22.2 - SecureLine 5.18 - DriverUpdater 22.2 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline tsc_chazz

  • Newbie
  • *
  • Posts: 5
Re: How do I find this virus?
« Reply #2 on: June 12, 2022, 05:40:22 PM »
That would tell me if the email password has been leaked, but my working assumption at the moment is that if it has, it's irrelevant here because the virus doesn't know it.

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 33668
  • malware fighter
Re: How do I find this virus?
« Reply #3 on: June 12, 2022, 11:51:40 PM »
Exchange scan failed to load? Mail flow problems while malare scanning stays enabled?
Else you could extend the server reaction time, so redirections cannot occur.
Perform a pmx-test.
Do you work 2 av solutions, as that is bad practice.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline tsc_chazz

  • Newbie
  • *
  • Posts: 5
Re: How do I find this virus?
« Reply #4 on: June 13, 2022, 12:40:23 AM »
No Exchange scan, my mail server is Sendmail on Linux. I have Sendmail configured to use SASL for SEBD AUTH, Server-side malware scan would be pointless as the mail originating on the infected machine does not authenticate and so is never accepted. However, as mentioned, the infected machines do make so many connections so quickly that the server goes into rate limiting, refusing additional connections from that IP, and the real connections are not accepted either. Only AV solution on the infected machine at the moment is Avast; I have put some static cleaners under guidance from Bleeping Computer, but have disconnected from the internet and disabled Avast while they were running.