Re: Question
From: KC (none_at_nospam.com)
Date: 02/25/05
- Next message: Colin Steadman: "Using a domain account as the anonymous user for file copy over network"
- Previous message: Martijn: "Solved"
- In reply to: Miha Pihler [MVP]: "Re: Question"
- Next in thread: Miha Pihler [MVP]: "Re: Question"
- Reply: Miha Pihler [MVP]: "Re: Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 25 Feb 2005 06:57:42 -0500
One day it is fhgj.exe, next day ghfnt.exe etc etc. randomly generated exe
file.....listed in NAV as a trojan dropper. The source is not internal so it
must be some type of external connection. I have scoured through the server
for any signs of compromise and cannot anything. This is concerning me as it
clearly seems it is an external connection causign this. I will have to note
the real time detection and perhaps run a sniffer at that time to see where
the connection is coming from.
Any other insight would be appreciated.
"Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
news:O8wlVQqGFHA.3916@TK2MSFTNGP12.phx.gbl...
> Hi,
>
> It is impossible to tell for sure, but yes it is possible that something
> is connecting to your server and is trying to infect it.
>
> You also have to know that someone could surf the internet few days,
> weeks, months ago, infected the server and the problem is still there.
>
> Can you tell me what virus is NAV reporting?
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "KC" <none@nospam.com> wrote in message
> news:uVHGA9lGFHA.1396@TK2MSFTNGP10.phx.gbl...
>> To expound on this...I have a web server and FTP server in my
>> DMZ.....every morning, I see the alert that NAV has found an deleted a
>> virus during a realtime scan. This is not happening by surfing the web
>> and I cannot figure out where the source of this virus is coming from.
>> The machines are locked down and only necessary ports are open. I've
>> checked registries on all affected machines and can't find anything out
>> of the ordinary.
>> Does this suggest that someone is connect to the machine at that time
>> actually trying to drop the executable ?
>> "KC" <none@nospam.com> wrote in message
>> news:OKyNw$fGFHA.2416@TK2MSFTNGP14.phx.gbl...
>>> Thanks
>>> "Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
>>> news:uZgV8ufGFHA.2472@TK2MSFTNGP10.phx.gbl...
>>>> It is possible (and very likely) that they are coming in over TCP port
>>>> 80 (or UDP 53 -- used for DNS resolution).
>>>>
>>>> Viruses will use ports that are likely to be opened (as mentioned TCP
>>>> 80, TCP 443, UDP 53, TCP 25, ...).
>>>>
>>>> When I setup servers for my customers, I usually try to define rules on
>>>> the firewall that would prevent complete access to the internet from
>>>> the servers (but not the other way -- access from the internet to the
>>>> server so that visitors are able to access public websites). This way,
>>>> I can prevent administrators surfing the internet from the server and
>>>> getting infected from web sites (protects from viruses, spyware etc).
>>>> This doesn't prevent infection that would come from inside (e.g.
>>>> internal network)...
>>>>
>>>> --
>>>> Mike
>>>> Microsoft MVP - Windows Security
>>>>
>>>> "KC" <noemail@nospam.com> wrote in message
>>>> news:Ow6jqmdGFHA.3964@TK2MSFTNGP14.phx.gbl...
>>>>> Hello All:
>>>>>
>>>>> For the past several days, our virus software has found and deleted a
>>>>> backdoor trojan which was destined for our webserver. This came from
>>>>> the
>>>>> outside, not in since no other clients on the network show any signs
>>>>> of
>>>>> infections.
>>>>>
>>>>> My question is this. How are these files being sent to the server. Is
>>>>> it
>>>>> possible that they are coming in on port 80?
>>>>> If not, how?
>>>>>
>>>>> Thanks
>>>>>
>>>>> KC
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
- Next message: Colin Steadman: "Using a domain account as the anonymous user for file copy over network"
- Previous message: Martijn: "Solved"
- In reply to: Miha Pihler [MVP]: "Re: Question"
- Next in thread: Miha Pihler [MVP]: "Re: Question"
- Reply: Miha Pihler [MVP]: "Re: Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
