Re: Firedaemon Application

From: karl [x y] (jamescagney90210@excite.com)
Date: 07/26/02


From: "karl [x y]" <jamescagney90210@excite.com>
Date: Fri, 26 Jul 2002 13:05:58 -0400


"jclaudias Claudias" <jclaudias@ssw.umaryland.edu> wrote in message
news:16ca01c234a8$36cb2bf0$37ef2ecf@TKMSFTNGXA13...
> Hey there,
>
> does anyone know what firedaemon is and how to remove it
> from a w2k server. Somehow it just showed up on one of my
> servers. I read that it allows u to install apps as
> services. Do u think it may be a hacker.

If you've been hacked, simply removing firedaemon may not be enough. There
may be other back doors, user IDs, etc. installed on the computer, and/or
all your passwords on the other machines on the network may have been
compromised. You also probably want to figure out how the intrusion
occurred so that you can prevent it from happening on other computers, as
well as investigate other computers to see if they too have received the
same hack. The first place you want to look for clues are logs on the
computer and on the firewalls and routers that connect it to the internet.
Especially check the IIS web server logs, search for log entries that
include % or .EXE and that also have a code 200 or 502 in the same log
entry.

The books Incident Response and Hacking Exposed volume 3 are good
introductions to dealing with this sort of thing, and you can get four books
for the price of one at http://lcis.booksonline.com

The only way to be 100% certain that the machine is secure again is to
format and reinstall windows, then install all microsoft security patches
and follow the security checklists at www.microsoft.com/security before you
put the machine back on the internet. Especially IISlockdown including
URLscan if IIS web services are installed.



Relevant Pages

  • unable to logon using remote desktop - desktop heap exhaustion *** SOLUTION
    ... but to a trojan horse and/or virus that Symantec Anti-virus ... similar one both of which were installed on this server. ... SAV's logs noted the detection and claimed the viruses were cleaned. ... Bottom line, if you MUST install IE7, run the demo before you walk away. ...
    (microsoft.public.windows.terminal_services)
  • Re: Outlook very slow after ISA install
    ... Yes, I did run CIECW after the install, as per instructed. ... I've been checking the logs on the server very closely since ISA was installed, and nothing I consider as significant has appeared. ... it doesn't seem like installing ISA on the server should effect Outlook performance. ...
    (microsoft.public.windows.server.sbs)
  • Re: SP1 finished successfully... or did it?
    ... plus the Event Logs) would be in order. ... assist you with this server, ... the case of doing a Swing with an existing SBS 2003 SP1 server would be to ... > but during the SBS SP1 install the setup halts and it asks if I want to ...
    (microsoft.public.windows.server.sbs)
  • Re: Made a big mistake - VPN and RPC over HTTP (SBS 2003 Prem.)
    ... Still no errors in the event logs or trash in the installation logs? ... recommended placing a PC locked in the server room that I could ... then I started seeing errors about SQL. ... The error I'm getting (trying to install SQL Server 2005 Express as ...
    (microsoft.public.windows.server.sbs)
  • RE: Help and Support Service - Missing File +=+=+ Long Running Iss
    ... I was given the instructions to install the Service Packs by an MS ... Professional in the Discussion Groups for another server. ... Attached are also the logs after the last restart. ... that the newsgroups are staffed weekdays by Microsoft Support professionals ...
    (microsoft.public.windows.server.sbs)