|
Posted by Peter Foldes on May 28, 2009, 7:11 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Multi multiposted
--
Peter
Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.
> Hello,
>
> I'm looking for any recommendations on how to track down the cause of a
> Trojan infection.
>
> We have a number of reports of the following infection on various servers.
> The only common link we can find between all the infected servers is that
> they do not have Windows Firewall enabled, which is how I assume they are
> compromising the system in the first place and installing the FTP server
> which is then detectable.
>
> ================
> Troj/ServU-Gen (Sophos)
> Aliases:
> not-a-virus:Server-FTP.Win32.Serv-U.5000 (Kaspersky Lab)
> not-a-virus:RiskWare.FTP.Serv-U.5000 (Kaspersky Lab)
> Hacktool (Symantec)
> BackDoor.Servu.5000 (Doctor Web)
> Troj/ServU-Gen (Sophos)
> BDS/ServU.ba.1 (H+BEDV)
> Win32:Trojano-356 (ALWIL)
> Trojan.ServU.G (SOFTWIN)
> Trojan.Servu.1 (ClamAV)
> Bck/ServU.BB (Panda)
> Server-FTP.Win32.Serv-U
> ================
>
> I'm trying to think of the best way to set up a "Bait" server with security
> auditing & no Firewall to sniff the infection process.
>
> WireShark?
>
> Once the server is infected, it creates "DependOnService" registry entries
> on a few services which causes File & Printer Sharing to not work as well as
> a few other detectable things.
>
> Any help would be appreciated!
> -B
| 
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map