From: "Bill" <proftpd () anatek com>
To: <security-basics () securityfocus com>
Subject: Re: Proxy+ Trojan
Date: Mon, 3 Feb 2003 18:57:45 -0600
Received: from outgoing.securityfocus.com ([188.8.131.52]) by
mc7-f38.law1.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Tue, 4 Feb
2003 15:02:50 -0800
Received: from lists.securityfocus.com (lists.securityfocus.com
[184.108.40.206])by outgoing.securityfocus.com (Postfix) with QMQPid
8283F8F306; Tue, 4 Feb 2003 10:56:13 -0700 (MST)
Received: (qmail 18268 invoked from network); 4 Feb 2003 00:56:33 -0000
Mailing-List: contact security-basics-help () securityfocus com; run by ezmlm
List-Post: <mailto:security-basics () securityfocus com>
List-Help: <mailto:security-basics-help () securityfocus com>
List-Unsubscribe: <mailto:security-basics-unsubscribe () securityfocus com>
List-Subscribe: <mailto:security-basics-subscribe () securityfocus com>
Delivered-To: mailing list security-basics () securityfocus com
Delivered-To: moderator for security-basics () securityfocus com
Message-ID: <12aa01c2cbe8$70725ef0$6501a8c0 () develop1>
References: <F82vCRohyMMGz0tWqhU00000968 () hotmail com>
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
security-basics-return-17674-koremeltdown=hotmail.com () securityfocus com
X-OriginalArrivalTime: 04 Feb 2003 23:02:50.0687 (UTC)
Sorry, I should have provided a better desicription to begin.
> The simple answer is find out how it was put on there, and block off
That's the problem -- it's not so simple. This is a dedicated web server
(Win2K/IIS5) that I have co-located in a top-tier data center. The app was
installed remotely, and no logins were compromised. I had just finished
having my SQL Server harded (about 10 days _before_ Slammer!) and we ran
some extensive password cracking software then. I was feeling pretty ok,
and then I started getting SpamCop reports. I checked for an open relay a
hundred times, but couldn't find anything. After a couple of days I found
the copy of Proxy+ and blew it away. I then installed a software firewall,
and I'm ok now (except for learning how to configure the firewall :-) ).
The real problem is that I don't know how this install was done. I would
really like to address this as an independent issue. I must have something
configured horribly wrong, but how do I start the detective work? And now,
everything seems suspicious. I feel the urge to disable every service!
Anyhow, if you have ideas on how an app could get installed remotely, I
could start investigating.
> Then do a security audit on that machine.
I hae subscribed to the SecurityMetrics offering, which I think will
definitely help on an ongoing basis. But my situation is not ideal. I'm
misconfigured, I'm sure, but hadnling it with a firewall. I want to be
correctly configured and have the firewall as an extra measure of safety.
I would enjoy hearing your speculation!