I am managing a Win Server 2008 system with a number of hosted web sites. Recently I found that something was sending spam through our SMTP server. The logs indicate that the connections were being made to our localhost port 25 SMTP server…which was configured to allow un-authenticated relaying. We are now requiring authentication even on 127.0.0.1:25 so the outgoing spam is blocked, but the connection attempts continue.
My guess is that one of our client's web scripts has been hacked and is being used to forward spam through our SMTP server.
Are there any tools that can be used to pin down what process, or better yet, which executable is making connections to a specific web port?
I have looked at the windows firewall logs, as suggested in this Server Fault question, but that does not list the process ID which is making connections.
Of course it is possible that I am barking up the wrong tree here, so any other advice would be appreciated too.
Best Answer
netstat -b -olists the network connections, process and PID - you should be able to figure out which IIS worker process is doing all the port 25 connections.