Re: Firedaemon Application

From: karl [x y] (jamescagney90210@excite.com)
Date: 07/26/02


From: "karl [x y]" <jamescagney90210@excite.com>
Date: Fri, 26 Jul 2002 13:05:58 -0400


"jclaudias Claudias" <jclaudias@ssw.umaryland.edu> wrote in message
news:16ca01c234a8$36cb2bf0$37ef2ecf@TKMSFTNGXA13...
> Hey there,
>
> does anyone know what firedaemon is and how to remove it
> from a w2k server. Somehow it just showed up on one of my
> servers. I read that it allows u to install apps as
> services. Do u think it may be a hacker.

If you've been hacked, simply removing firedaemon may not be enough. There
may be other back doors, user IDs, etc. installed on the computer, and/or
all your passwords on the other machines on the network may have been
compromised. You also probably want to figure out how the intrusion
occurred so that you can prevent it from happening on other computers, as
well as investigate other computers to see if they too have received the
same hack. The first place you want to look for clues are logs on the
computer and on the firewalls and routers that connect it to the internet.
Especially check the IIS web server logs, search for log entries that
include % or .EXE and that also have a code 200 or 502 in the same log
entry.

The books Incident Response and Hacking Exposed volume 3 are good
introductions to dealing with this sort of thing, and you can get four books
for the price of one at http://lcis.booksonline.com

The only way to be 100% certain that the machine is secure again is to
format and reinstall windows, then install all microsoft security patches
and follow the security checklists at www.microsoft.com/security before you
put the machine back on the internet. Especially IISlockdown including
URLscan if IIS web services are installed.