Re: Bait Server for Trojan

From: "Dave" <noone@xxxxxxxxxxx>
Date: Thu, 28 May 2009 21:54:09 -0000

the cause is: you are not secure enough

the fix is: get more secure!

leave the analysis to the pros, get your security fixed so you aren't a vector for transmitting future infections.

"Brock Hensley" <brock.hensley@xxxxxxxxxxxxxxxxxxx> wrote in message news:7CA31DC4-2C35-428E-8509-C56DFE8C2FB8@xxxxxxxxxxxxxxxx

Hello,

I'm looking for any recommendations on how to track down the cause of a Trojan infection.

We have a number of reports of the following infection on various servers. The only common link we can find between all the infected servers is that they do not have Windows Firewall enabled, which is how I assume they are compromising the system in the first place and installing the FTP server which is then detectable.

================
Troj/ServU-Gen (Sophos)
Aliases:
not-a-virus:Server-FTP.Win32.Serv-U.5000 (Kaspersky Lab)
not-a-virus:RiskWare.FTP.Serv-U.5000 (Kaspersky Lab)
Hacktool (Symantec)
BackDoor.Servu.5000 (Doctor Web)
Troj/ServU-Gen (Sophos)
BDS/ServU.ba.1 (H+BEDV)
Win32:Trojano-356 (ALWIL)
Trojan.ServU.G (SOFTWIN)
Trojan.Servu.1 (ClamAV)
Bck/ServU.BB (Panda)
Server-FTP.Win32.Serv-U
================

I'm trying to think of the best way to set up a "Bait" server with security auditing & no Firewall to sniff the infection process.

WireShark?

Once the server is infected, it creates "DependOnService" registry entries on a few services which causes File & Printer Sharing to not work as well as a few other detectable things.

Any help would be appreciated!
-B

References:
- Bait Server for Trojan
  - From: Brock Hensley

Prev by Date: Bait Server for Trojan
Next by Date: Preventing two vulnearbilities
Previous by thread: Bait Server for Trojan
Next by thread: Preventing two vulnearbilities
Index(es):
- Date
- Thread

Relevant Pages

Re: Install Silverlight?
... Most of our clients are small businesses who don't like spending money. ... MS does recommend restricting browsing from a server - I am dealing with it - note that MS only said 'recommend restricting'. ... Trusting AV software is foolish. ... The trend I see is less and less infection, especially at the user workstation level. ...
(microsoft.public.windows.server.sbs)
Re: [Fedora] Seeing input on Securing the Linux system from intrusions and attacks.
... Your guidance concerning honey pots is welcome. ... national server. ... I manage systems on different IAPs, I have noticed quite a difference in the volume of traffic I drop/reject on the different networks. ... frustrating system infection it is also about what you will eventually ...
(Fedora)
Re: Bait Server for Trojan
... "Brock Hensley" wrote in message ... We have a number of reports of the following infection on various servers. ... Troj/ServU-Gen (Sophos) ... I'm trying to think of the best way to set up a "Bait" server with security ...
(microsoft.public.security.virus)
Re: Bait Server for Trojan
... If you dont know how to do this, I would most definately do research on it or hire one or more sec consultants to do it for you. ... I'm looking for any recommendations on how to track down the cause of a Trojan infection. ... The only common link we can find between all the infected servers is that they do not have Windows Firewall enabled, which is how I assume they are compromising the system in the first place and installing the FTP server which is then detectable. ... Troj/ServU-Gen (Sophos) ...
(microsoft.public.windows.server.security)
Re: W32.SwenA@mm virus is so dammed annoying.
... server based on the filters. ... >> find a discussion of the effects of the 'swen' worm and ways you can ... >> e-mail for virus infection. ... >> downloading of e-mail messages (Veronica Loell posts information about ...
(microsoft.public.security)