I’ve got a client running a single server (SBS2003) sitting behind a SonicWall TZ 180 Enhanced. The server got infected a while ago, and we removed the infections (I thought), but found that it was pushing data up to someplace on the internet. Disabling NetBIOS resolved that issue, but when I re-enable it, it starts back up.
Now, the server has started the same type of thing, uploading mainly to two specific addresses:
18.104.22.168 source port 1125, destination port 3071
22.214.171.124 source port 3375 (but changes), destination port 8000
I’ve got the SonicWall blocking everything except allowed traffic, but need help resolving this once and for all…I’ve included a HijackThis log in the next post. Hopefully it is useful.