Security Basics mailing list archives
Re: Proxy+ Trojan
From: "KoRe MeLtDoWn" <koremeltdown () hotmail com>
Date: Tue, 04 Feb 2003 23:26:06 +0000
Hi again Bill,Im not terribly experienced at the web server type security but you might want to start with your raw server logs. Check those for suspicious probes (404 errors etc) pre the time you started getting the SpamCop Reports. Unfortunately this isn't my particular area of security I specialise in, so Im sure Im offering you an avenue you have already taken.
Regards, Hamish Stanaway -= KoRe WoRkS =- Internet Security Owner/Operator Auckland, New Zealand http://www.koreworks.com/ Is you box REALLY secure?
From: "Bill" <proftpd () anatek com> To: <security-basics () securityfocus com> Subject: Re: Proxy+ Trojan Date: Mon, 3 Feb 2003 18:57:45 -0600 MIME-Version: 1.0Received: from outgoing.securityfocus.com ([205.206.231.26]) by mc7-f38.law1.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Tue, 4 Feb 2003 15:02:50 -0800 Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])by outgoing.securityfocus.com (Postfix) with QMQPid 8283F8F306; Tue, 4 Feb 2003 10:56:13 -0700 (MST)Received: (qmail 18268 invoked from network); 4 Feb 2003 00:56:33 -0000 X-Message-Info: dHZMQeBBv44lPE7o4B5bAg== Mailing-List: contact security-basics-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <security-basics.list-id.securityfocus.com> List-Post: <mailto:security-basics () securityfocus com> List-Help: <mailto:security-basics-help () securityfocus com> List-Unsubscribe: <mailto:security-basics-unsubscribe () securityfocus com> List-Subscribe: <mailto:security-basics-subscribe () securityfocus com> Delivered-To: mailing list security-basics () securityfocus com Delivered-To: moderator for security-basics () securityfocus com Message-ID: <12aa01c2cbe8$70725ef0$6501a8c0@develop1> References: <F82vCRohyMMGz0tWqhU00000968 () hotmail com> X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106Return-Path: security-basics-return-17674-koremeltdown=hotmail.com () securityfocus com X-OriginalArrivalTime: 04 Feb 2003 23:02:50.0687 (UTC) FILETIME=[8A98DCF0:01C2CCA1]Hamish, Sorry, I should have provided a better desicription to begin.> The simple answer is find out how it was put on there, and block off thatThat's the problem -- it's not so simple. This is a dedicated web server (Win2K/IIS5) that I have co-located in a top-tier data center. The app was installed remotely, and no logins were compromised. I had just finished having my SQL Server harded (about 10 days _before_ Slammer!) and we ran some extensive password cracking software then. I was feeling pretty ok, and then I started getting SpamCop reports. I checked for an open relay a hundred times, but couldn't find anything. After a couple of days I found the copy of Proxy+ and blew it away. I then installed a software firewall, and I'm ok now (except for learning how to configure the firewall :-) ). The real problem is that I don't know how this install was done. I would really like to address this as an independent issue. I must have something configured horribly wrong, but how do I start the detective work? And now,everything seems suspicious. I feel the urge to disable every service! :-)Anyhow, if you have ideas on how an app could get installed remotely, I could start investigating. > Then do a security audit on that machine. I hae subscribed to the SecurityMetrics offering, which I think will definitely help on an ongoing basis. But my situation is not ideal. I'm misconfigured, I'm sure, but hadnling it with a firewall. I want to be correctly configured and have the firewall as an extra measure of safety. I would enjoy hearing your speculation! Thanks! Bill
_________________________________________________________________Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail
Current thread:
- Proxy+ Trojan Bill (Feb 03)
- RE: Proxy+ Trojan dave (Feb 05)
- <Possible follow-ups>
- Re: Proxy+ Trojan KoRe MeLtDoWn (Feb 04)
- Re: Proxy+ Trojan Bill (Feb 05)
- RE: Proxy+ Trojan dave (Feb 04)
- Re: Proxy+ Trojan Bill (Feb 05)
- Re: Proxy+ Trojan KoRe MeLtDoWn (Feb 05)