goodday friends.

I noted a strange activity from a deeply inside 'win/98' box, 172.30.48.99 non-routeable addr (asper rfc-1918). It appears like a trojan and sometimes appears as a 'hijacked' machine. Just the facts:

a) this box was using our secondary smtp server as a relay, sending/receiving packets from 4 or 5 outborder servers (1 inboard, dedicated by brazilian authority as main dns).

b) I closed down the sendmail server. Few minutes (4~5) later and this box was connected (now, directly smtp-smtp) to the same outerboxes.

c) now I blocked (Linux ipchains) our gateway, this box was throwed out (default policy DENY, this machine -j DENY in the 3 rulesets, forward, output, input). 5 minutes later and it *again* is connected.. I am still tying to understand on how the ipchains is being circumvented.

d) I blocked the internet now: -s 0/0 -d 172.30.48.99 -j DENY. It still manages to connect, but isnot hearing the replies. Strangely, it manages to connect to the (sequencialy) boxes once via smtp other via pop3, also changing the ports (all ports > 2000), apparentely in a random manner.

Any hint??