0

I have a couple of clients running Windows 10 using my Sendmail server. I don't have immediate access to one of them, but the other is my wife. Starting two days ago, when my wife turns on her laptop, my mail server immediately blocks our entire home network - rate limiting. I've put an Untangle firewall into our home network, and found that in fact it is her laptop, trying to communicate with Port 25 on my mail server (only), about 20-100 connection attempts per minute. I'm guessing it's trying to send spam via my mail server. No actual spam has been sent because, while the malware has been able to retrieve the server name from her mail config, it has not retrieved credentials, and the mail server requires credentials for relaying. None of the malware scanners I have access to have found it, and the volunteers at Bleeping Computer have also come up empty. So I have to find this myself.

So I guess the main question is: On Windows 10, is there any way to know which application is connecting to a specified external port (in this case 25) in real-time, or record who's asking for connections to port 25? Because this thing is opening the port, blindly slapping something through it, and closing it; it's not holding things open for any length of time, and teh firewall logs indicate that it's using a different high-number port for each outbound attempt.

tsc_chazz
  • 136
  • 2
  • 1
    Does this answer your question? [How can I remove malicious spyware, malware, adware, viruses, trojans or rootkits from my PC?](https://superuser.com/questions/100360/how-can-i-remove-malicious-spyware-malware-adware-viruses-trojans-or-rootkit) – Moab Nov 12 '21 at 22:55
  • @Moab In general those are good tips, and I would follow them if it was at all messier than what I'm seeing. I will be dealing with this using the "removed disk" technique, or something similar - it's hard to mount NVme as external - but since its impact seems to be limited to SMTP spamming, once I've identified it I should be able to clean it relatively simply. If that doesn't work, then scorched earth it is. – tsc_chazz Nov 12 '21 at 23:04

1 Answers1

0

Open the start menu. Type cmd. Rightclick the Command Prompt and chose "Run as administrator". Then use the command netstat -ab. It will show a list of opened ports and the filenames of the programs that are using them.

If you prefer a GUI version, look at CurrPorts.

To get rid of the malware download, install and run MalwareBytes (the free version) from https://www.malwarebytes.com/

Gantendo
  • 4,615
  • 1
  • 18
  • 30
  • Since the app opens the port, slaps a message out, and closes the port again, having the port open maybe 1% of the time, I doubt that I'd be able to catch it with a single netstat invocation, or even a hundred... and doesn't netstat show the ports on the Windows end? It's the server end where I know the port number; the Windows end it's a random high-numbered private port. And if Bleeping Computer's FRST couldn't find the malware, and Avast can't, I doubt MalwareBytes can. – tsc_chazz Nov 12 '21 at 20:50
  • @tsc_chazz CurrPorts has an automatic refresh mode. MalwareBytes is pretty good (unlike Avast...). – Gantendo Nov 12 '21 at 20:57
  • Avast is pretty good also - granted, the review page I've seen puts MalwareBytes ahead of it, but they're 1 and 2. BC does recommend MalwareBytes, but only if they find something in FRST that they don't think they can clean, and FRST found nothing. I'll try MalwareBytes this evening when I get back home, but I don't expect that to find anything based on what I've tried so far. – tsc_chazz Nov 12 '21 at 21:15