I recently had to scrub a Windows server that was compromised while I was reconfiguring my firewall. Not my most shining moment as a sysadmin, but this is part of my business. Scrubbing Windows servers.

At any rate, one easily identifiable intrusion was a new Windows service called Dameware. This service seemed so neat and eager to be managed that I checked into and, yes, it's legit remote control software for administrators. Except that it doesn't belong on my box.

The behavior I observed on the machine (before I scraped the drive clean and re-installed it) included enormous network activitiy (80mbps+) and an open port to some IP in France.

Since I did not do any kind of real investigation into what was being done to my machine, I'll never know what was eating up that bandwidth, but I'm wondering what the AO community thinks Dameware would be used for. Is it just a simple, easy capture of a system with loose Windows account security? Is there a known exploit that maybe I won't be prepared for next time? Is it commonly associated with another kind of attack?

My reason for wondering is that I don't think it's satisfactory for me to put a server behind a firewall and forget about securing it as best I can. If there is an exploit out there that points to my configuration, I want to be ready for it, firewall or no.

Thanks --