Security Incidents mailing list archives
Re: Name that Trojan
From: Hugo van der Kooij <hvdkooij () vanderkooij org>
Date: Wed, 9 Jan 2002 23:14:16 +0100 (CET)
On Wed, 9 Jan 2002, Nutcase_69 wrote:
We have an application server running NT 4.0. We found the file serv.exe on it and I know that this could be an indication of a Trojan. We deleteed the file and when we rebooted, the file re-appeared. I trying to find out if anybody know what Trojan might display this activity? I thaught it was freak but that seemed old and I didn''t think that it could regenerate the .exe Any Answers?
Standard procedure in case of a brakin that can't be identified is to take the server off line. Store the disk. Perhaps salvage some data later and install a replacement server. If you are not 100% sure you can't risk leaving backdoor, timebombs, .... on your server. Trust Murphy to strike harder when you have have ignored his laws. Hugo. -- All email send to me is bound to the rules described on my homepage. hvdkooij () vanderkooij org http://hvdkooij.xs4all.nl/ Don't meddle in the affairs of sysadmins, for they are subtle and quick to anger. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Name that Trojan Nutcase_69 (Jan 09)
- Re: Name that Trojan Hugo van der Kooij (Jan 09)
- Re: Name that Trojan Blake Frantz (Jan 09)
- <Possible follow-ups>
- RE: Name that Trojan Kester, Kelly (Jan 09)
- RE: Name that Trojan Michael Ward (Jan 09)