Re: Name that Trojan

[Hugo van der Kooij <hvdkooij () vanderkooij org>]

On Wed, 9 Jan 2002, Nutcase_69 wrote:

> We have an application server running NT 4.0.  We found the file serv.exe on
> it and I know that this could be an indication of a Trojan.  We deleteed the
> file and when we rebooted, the file re-appeared.  I trying to find out if
> anybody know what Trojan might display this activity?  I thaught it was
> freak but that seemed old and I didn''t think that it could regenerate the
> .exe  Any Answers?

Standard procedure in case of a brakin that can't be identified is to take 
the server off line. Store the disk. Perhaps salvage some data later and 
install a replacement server.

If you are not 100% sure you can't risk leaving backdoor, timebombs, .... 
on your server.

Trust Murphy to strike harder when you have have ignored his laws.

Hugo.

-- 
All email send to me is bound to the rules described on my homepage.
    hvdkooij () vanderkooij org         http://hvdkooij.xs4all.nl/
            Don't meddle in the affairs of sysadmins,
            for they are subtle and quick to anger.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com