mailing list archives
Re: Proxy+ Trojan
From: "Bill" <proftpd () anatek com>
Date: Mon, 3 Feb 2003 18:57:45 -0600
Sorry, I should have provided a better desicription to begin.
The simple answer is find out how it was put on there, and block off that
That's the problem -- it's not so simple. This is a dedicated web server
(Win2K/IIS5) that I have co-located in a top-tier data center. The app was
installed remotely, and no logins were compromised. I had just finished
having my SQL Server harded (about 10 days _before_ Slammer!) and we ran
some extensive password cracking software then. I was feeling pretty ok,
and then I started getting SpamCop reports. I checked for an open relay a
hundred times, but couldn't find anything. After a couple of days I found
the copy of Proxy+ and blew it away. I then installed a software firewall,
and I'm ok now (except for learning how to configure the firewall :-) ).
The real problem is that I don't know how this install was done. I would
really like to address this as an independent issue. I must have something
configured horribly wrong, but how do I start the detective work? And now,
everything seems suspicious. I feel the urge to disable every service! :-)
Anyhow, if you have ideas on how an app could get installed remotely, I
could start investigating.
Then do a security audit on that machine.
I hae subscribed to the SecurityMetrics offering, which I think will
definitely help on an ongoing basis. But my situation is not ideal. I'm
misconfigured, I'm sure, but hadnling it with a firewall. I want to be
correctly configured and have the firewall as an extra measure of safety.
I would enjoy hearing your speculation!