Re: Proxy+ Trojan

["KoRe MeLtDoWn" <koremeltdown () hotmail com>]

Hi again Bill,
Im not terribly experienced at the web server type security but you might 
want to start with your raw server logs. Check those for suspicious probes 
(404 errors etc) pre the time you started getting the SpamCop Reports.
Unfortunately this isn't my particular area of security I specialise in, so 
Im sure Im offering you an avenue you have already taken.

Regards,

Hamish Stanaway

-= KoRe WoRkS =- Internet Security
Owner/Operator
Auckland, New Zealand
http://www.koreworks.com/

Is you box REALLY secure?





> From: "Bill" <proftpd () anatek com>
> To: <security-basics () securityfocus com>
> Subject: Re: Proxy+ Trojan
> Date: Mon, 3 Feb 2003 18:57:45 -0600
> MIME-Version: 1.0
> Received: from outgoing.securityfocus.com ([205.206.231.26]) by 
> mc7-f38.law1.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Tue, 4 Feb 
> 2003 15:02:50 -0800
> Received: from lists.securityfocus.com (lists.securityfocus.com 
> [205.206.231.19])by outgoing.securityfocus.com (Postfix) with QMQPid 
> 8283F8F306; Tue,  4 Feb 2003 10:56:13 -0700 (MST)
> Received: (qmail 18268 invoked from network); 4 Feb 2003 00:56:33 -0000
> X-Message-Info: dHZMQeBBv44lPE7o4B5bAg==
> Mailing-List: contact security-basics-help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <security-basics.list-id.securityfocus.com>
> List-Post: <mailto:security-basics () securityfocus com>
> List-Help: <mailto:security-basics-help () securityfocus com>
> List-Unsubscribe: <mailto:security-basics-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:security-basics-subscribe () securityfocus com>
> Delivered-To: mailing list security-basics () securityfocus com
> Delivered-To: moderator for security-basics () securityfocus com
> Message-ID: <12aa01c2cbe8$70725ef0$6501a8c0@develop1>
> References: <F82vCRohyMMGz0tWqhU00000968 () hotmail com>
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook Express 6.00.2800.1106
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
> Return-Path: 
> security-basics-return-17674-koremeltdown=hotmail.com () securityfocus com
> X-OriginalArrivalTime: 04 Feb 2003 23:02:50.0687 (UTC) 
> FILETIME=[8A98DCF0:01C2CCA1]
>
> Hamish,
>
> Sorry, I should have provided a better desicription to begin.
>
> > The simple answer is find out how it was put on there, and block off 
> that
>
> That's the problem -- it's not so simple.  This is a dedicated web server
> (Win2K/IIS5) that I have co-located in a top-tier data center.  The app was
> installed remotely, and no logins were compromised.  I had just finished
> having my SQL Server harded (about 10 days _before_ Slammer!) and we ran
> some extensive password cracking software then.  I was feeling pretty ok,
> and then I started getting SpamCop reports.  I checked for an open relay a
> hundred times, but couldn't find anything.  After a couple of days I found
> the copy of Proxy+ and blew it away.  I then installed a software firewall,
> and I'm ok now (except for learning how to configure the firewall :-) ).
>
> The real problem is that I don't know how this install was done.  I would
> really like to address this as an independent issue.  I must have something
> configured horribly wrong, but how do I start the detective work?  And now,
> everything seems suspicious.  I feel the urge to disable every service!  
> :-)
>
> Anyhow, if you have ideas on how an app could get installed remotely, I
> could start investigating.
>
> > Then do a security audit on that machine.
>
> I hae subscribed to the SecurityMetrics offering, which I think will
> definitely help on an ongoing basis.  But my situation is not ideal.  I'm
> misconfigured, I'm sure, but hadnling it with a firewall.  I want to be
> correctly configured and have the firewall as an extra measure of safety.
>
> I would enjoy hearing your speculation!
>
> Thanks!
>
> Bill


_________________________________________________________________
Help STOP SPAM with the new MSN 8 and get 2 months FREE*  
http://join.msn.com/?page=features/junkmail