Home page logo

basics logo Security Basics mailing list archives

RE: Proxy+ Trojan
From: "dave" <dave () netmedic net>
Date: Tue, 4 Feb 2003 16:21:42 -0500


Who and what did the server hardening?  
Was is just the OS, or did you have specific applications that were also
Your description sounds like someone did it for you.

There could be hundreds of holes/exploits that may have been missed in the
OS or the applications you have running.

If you are still worried try  http://www.s-doc.com/products/securitelok.asp




-----Original Message-----
From: Bill [mailto:proftpd () anatek com] 
Sent: Monday, February 03, 2003 19:58
To: security-basics () securityfocus com
Subject: Re: Proxy+ Trojan


Sorry, I should have provided a better desicription to begin.

The simple answer is find out how it was put on there, and block off that

That's the problem -- it's not so simple.  This is a dedicated web server
(Win2K/IIS5) that I have co-located in a top-tier data center.  The app was
installed remotely, and no logins were compromised.  I had just finished
having my SQL Server harded (about 10 days _before_ Slammer!) and we ran
some extensive password cracking software then.  I was feeling pretty ok,
and then I started getting SpamCop reports.  I checked for an open relay a
hundred times, but couldn't find anything.  After a couple of days I found
the copy of Proxy+ and blew it away.  I then installed a software firewall,
and I'm ok now (except for learning how to configure the firewall :-) ).

The real problem is that I don't know how this install was done.  I would
really like to address this as an independent issue.  I must have something
configured horribly wrong, but how do I start the detective work?  And now,
everything seems suspicious.  I feel the urge to disable every service!  :-)

Anyhow, if you have ideas on how an app could get installed remotely, I
could start investigating.

Then do a security audit on that machine.

I hae subscribed to the SecurityMetrics offering, which I think will
definitely help on an ongoing basis.  But my situation is not ideal.  I'm
misconfigured, I'm sure, but hadnling it with a firewall.  I want to be
correctly configured and have the firewall as an extra measure of safety.

I would enjoy hearing your speculation!



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]