Re: how do I work out who/what enabled a service
From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 10/04/05
- Next message: Roger Abell [MVP]: "Re: How to give "View" access to all my servers in my domain?"
- Previous message: Roger Abell [MVP]: "Re: WIN2K3 SP1 for a web server I am deploying"
- In reply to: Bruce Baker: "how do I work out who/what enabled a service"
- Next in thread: Steven L Umbach: "Re: how do I work out who/what enabled a service"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 4 Oct 2005 00:29:36 -0700
Once a machine has been compromised in that way, you need to
understand that any scanning tool can only tell you that it found
this or that, and cannot tell you that there is nothing to be found
(only that it failed to find it if it is there).
The only valid recommendation for your case is to rebuild the
machine starting with a format.
"Bruce Baker" <bruceb@newsgroups.nospam> wrote in message
news:%23ba2sfByFHA.3180@TK2MSFTNGP14.phx.gbl...
> Hi
>
> Got a client which has had a virus which installed serv-u ftp service.
>
> Symantec and TrendMicro both give the machine a clean bill of health.
>
> We disabled the above service but last night it got reenabled (got the GFI
> network monitor on this server)
>
> How do I work out which process would have done it ?
>
> MBSA tells us we have all patches installed and no obvious risks.
> Somethings up. Any ideas ?
>
> All workstations inside the network also scan ok etc.
>
> Thanks
>
- Next message: Roger Abell [MVP]: "Re: How to give "View" access to all my servers in my domain?"
- Previous message: Roger Abell [MVP]: "Re: WIN2K3 SP1 for a web server I am deploying"
- In reply to: Bruce Baker: "how do I work out who/what enabled a service"
- Next in thread: Steven L Umbach: "Re: how do I work out who/what enabled a service"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
