Security Basics mailing list archives
RE: Proxy+ Trojan
From: "dave" <dave () netmedic net>
Date: Tue, 4 Feb 2003 16:21:42 -0500
Bill, Who and what did the server hardening? Was is just the OS, or did you have specific applications that were also hardened? Your description sounds like someone did it for you. There could be hundreds of holes/exploits that may have been missed in the OS or the applications you have running. If you are still worried try http://www.s-doc.com/products/securitelok.asp Cheers, Dave -----Original Message----- From: Bill [mailto:proftpd () anatek com] Sent: Monday, February 03, 2003 19:58 To: security-basics () securityfocus com Subject: Re: Proxy+ Trojan Hamish, Sorry, I should have provided a better desicription to begin.
The simple answer is find out how it was put on there, and block off that
That's the problem -- it's not so simple. This is a dedicated web server (Win2K/IIS5) that I have co-located in a top-tier data center. The app was installed remotely, and no logins were compromised. I had just finished having my SQL Server harded (about 10 days _before_ Slammer!) and we ran some extensive password cracking software then. I was feeling pretty ok, and then I started getting SpamCop reports. I checked for an open relay a hundred times, but couldn't find anything. After a couple of days I found the copy of Proxy+ and blew it away. I then installed a software firewall, and I'm ok now (except for learning how to configure the firewall :-) ). The real problem is that I don't know how this install was done. I would really like to address this as an independent issue. I must have something configured horribly wrong, but how do I start the detective work? And now, everything seems suspicious. I feel the urge to disable every service! :-) Anyhow, if you have ideas on how an app could get installed remotely, I could start investigating.
Then do a security audit on that machine.
I hae subscribed to the SecurityMetrics offering, which I think will definitely help on an ongoing basis. But my situation is not ideal. I'm misconfigured, I'm sure, but hadnling it with a firewall. I want to be correctly configured and have the firewall as an extra measure of safety. I would enjoy hearing your speculation! Thanks! Bill
Current thread:
- Proxy+ Trojan Bill (Feb 03)
- RE: Proxy+ Trojan dave (Feb 05)
- <Possible follow-ups>
- Re: Proxy+ Trojan KoRe MeLtDoWn (Feb 04)
- Re: Proxy+ Trojan Bill (Feb 05)
- RE: Proxy+ Trojan dave (Feb 04)
- Re: Proxy+ Trojan Bill (Feb 05)
- Re: Proxy+ Trojan KoRe MeLtDoWn (Feb 05)