Home page logo

basics logo Security Basics mailing list archives

Re: Proxy+ Trojan
From: "KoRe MeLtDoWn" <koremeltdown () hotmail com>
Date: Tue, 04 Feb 2003 23:26:06 +0000

Hi again Bill,
Im not terribly experienced at the web server type security but you might want to start with your raw server logs. Check those for suspicious probes (404 errors etc) pre the time you started getting the SpamCop Reports. Unfortunately this isn't my particular area of security I specialise in, so Im sure Im offering you an avenue you have already taken.


Hamish Stanaway

-= KoRe WoRkS =- Internet Security
Auckland, New Zealand

Is you box REALLY secure?

From: "Bill" <proftpd () anatek com>
To: <security-basics () securityfocus com>
Subject: Re: Proxy+ Trojan
Date: Mon, 3 Feb 2003 18:57:45 -0600
MIME-Version: 1.0
Received: from outgoing.securityfocus.com ([]) by mc7-f38.law1.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Tue, 4 Feb 2003 15:02:50 -0800 Received: from lists.securityfocus.com (lists.securityfocus.com [])by outgoing.securityfocus.com (Postfix) with QMQPid 8283F8F306; Tue, 4 Feb 2003 10:56:13 -0700 (MST)
Received: (qmail 18268 invoked from network); 4 Feb 2003 00:56:33 -0000
X-Message-Info: dHZMQeBBv44lPE7o4B5bAg==
Mailing-List: contact security-basics-help () securityfocus com; run by ezmlm
Precedence: bulk
List-Id: <security-basics.list-id.securityfocus.com>
List-Post: <mailto:security-basics () securityfocus com>
List-Help: <mailto:security-basics-help () securityfocus com>
List-Unsubscribe: <mailto:security-basics-unsubscribe () securityfocus com>
List-Subscribe: <mailto:security-basics-subscribe () securityfocus com>
Delivered-To: mailing list security-basics () securityfocus com
Delivered-To: moderator for security-basics () securityfocus com
Message-ID: <12aa01c2cbe8$70725ef0$6501a8c0 () develop1>
References: <F82vCRohyMMGz0tWqhU00000968 () hotmail com>
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Return-Path: security-basics-return-17674-koremeltdown=hotmail.com () securityfocus com X-OriginalArrivalTime: 04 Feb 2003 23:02:50.0687 (UTC) FILETIME=[8A98DCF0:01C2CCA1]


Sorry, I should have provided a better desicription to begin.

> The simple answer is find out how it was put on there, and block off that

That's the problem -- it's not so simple.  This is a dedicated web server
(Win2K/IIS5) that I have co-located in a top-tier data center.  The app was
installed remotely, and no logins were compromised.  I had just finished
having my SQL Server harded (about 10 days _before_ Slammer!) and we ran
some extensive password cracking software then.  I was feeling pretty ok,
and then I started getting SpamCop reports.  I checked for an open relay a
hundred times, but couldn't find anything.  After a couple of days I found
the copy of Proxy+ and blew it away.  I then installed a software firewall,
and I'm ok now (except for learning how to configure the firewall :-) ).

The real problem is that I don't know how this install was done.  I would
really like to address this as an independent issue.  I must have something
configured horribly wrong, but how do I start the detective work?  And now,
everything seems suspicious. I feel the urge to disable every service! :-)

Anyhow, if you have ideas on how an app could get installed remotely, I
could start investigating.

> Then do a security audit on that machine.

I hae subscribed to the SecurityMetrics offering, which I think will
definitely help on an ongoing basis.  But my situation is not ideal.  I'm
misconfigured, I'm sure, but hadnling it with a firewall.  I want to be
correctly configured and have the firewall as an extra measure of safety.

I would enjoy hearing your speculation!



Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]