Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 26

Thread: Virus Evades Panda & Kapersky

  1. #11
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    I disagree with this assumption. It could have been introduced from a user clicking an email somewhere else on the network and then wormed it's way onto the server through an exploit. Ever hear of Code Red?
    Well.....why does that so called user have those kind of prilledges on the network\server...to be able to run an exe on a server...

    I am sorry.....can you explain???

    I have seen worms infect open shares...because the users have full control rights to them....

    Users on networks should not have administrative access to a server....

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  2. #12
    Senior Member
    Join Date
    Mar 2004
    Posts
    171
    Personally I agree with TS (and everyone else) that the box needs to come down, but just as important, the end users need to know WHY it is comming down, and I dont think I would go out of my way to make it painless.

    Remotely dealing with this issue is a bad idea at best.
    ~ I'm NOT insane! I've just been in a bad mood for the last 30 years! ~ Somepeople are like Slinky's: Not good for anything, but the thought of pushing them down the stairs brings a smile to your face!

  3. #13
    Originally posted here by morganlefay
    Well.....why does that so called user have those kind of prilledges on the network\server...to be able to run an exe on a server...

    I am sorry.....can you explain???

    I have seen worms infect open shares...because the users have full control rights to them....

    Users on networks should not have administrative access to a server....

    MLF
    The user doesn't need access to the server for a worm to infect a server with a known exploit. Code Red spread across the internet via an exploit in the IIS service. I certainly had no special access to an internet server out on the web, but if I was infected with Code Red, and the server was not patched, I would infect it, without my knowing it. All on Port 80.

    http://www.cert.org/advisories/CA-2001-19.html

    Look up Reatle too. I had three servers that I use get infected with that, and those servers have never been connected to the Internet, their browsers were never configured. There are 6 people with access to the servers, and none with admin access. Reatle came into my company's network via an email sent to a user in Singapore, and within 12 hours, computers all over the internal network were infected. Obviously the server admins were lax in applying security patches, but hey, stuff gets missed from time to time.

    It's not just about network shares, and shell access / remote desktop access anymore. If a worm can take advantage of an exploit in the OS, it can spread without a user having access to the system in any shape or form.

  4. #14
    Junior Member
    Join Date
    Nov 2005
    Posts
    12
    after you clean your server up, i would suggest that you implement proper security access controls because someone has too many privliages on your network to allow this to get on a production device.

  5. #15
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    If I might chime in here....

    JC: Yep... Theoretically you are correct... But... 99% of the time non-publicly available servers are compromised by their idiot admins/users using the server like it was a workstation... and running in the context of an administrator...

    That's the point dear Mistress LeFay is trying to, quite correctly, make... in her roundabout way...
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #16
    Junior Member
    Join Date
    Nov 2005
    Posts
    12
    My point exactly.

  7. #17
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    I highly doubt that the problem the OP had was infected by a worm....because I have seen this before on many a workstation...although never on a server

    A quick google search

    Process File: update or update.exe
    Description:

    update.exe is registered as the W97M.Exedrop downloader. This process usually comes bundled with a virus and it’s main role is to do nothing other than download other viruses to your computer. It is a registered security risk and should be removed immediately.

    Note: update.exe is also a process belonging to the BargainBuddy advertising program by eXact Advertising LLC. This process monitors your browsing habits and distributes the data back to the author's servers for analysis. This also prompts advertising popups. This program is a registered security risk and should be removed immediately.
    From
    http://www.liutilities.com/products/...ibrary/update/

    AFAIK....this happened through clickty click click click...whether on a website or in an email....does not matter.

    Usually this kind of program can not infect unless someone with admin privledges clickity clicked it


    and the server was not patched
    Well...there we find the problem and why your server became infected in the first place...sloppy admin policy

    Proper patching, monitoring etc should slowdown and\or prevent this from happening.

    Filtering of email , AUP, monitoring of the network and the constant OS, Application and AV updates

    Yes infections do happen...but can be easily contained if your network is properly configured.

    Yes its a constant battle....

    Keeps me in wine

    MHO..as always

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  8. #18
    The ******* Shadow dalek's Avatar
    Join Date
    Sep 2005
    Posts
    1,564
    Yeah that's why I pointed out "Bargain Buddy", it's a Browser Highjacker, remember that stupid parrott (Bonzi) that was around a few years ago, kids loved it, so everyone downloaded it along with the baggage.....

    MLF is correct, a user had too much free time and too many rights....

    What is Bargain Buddy?
    Bargain Buddy AKA Cashback by Bargain Buddy is a piece of adware that allows you to receive a rebate on purchases from participating merchants. Relevant ads are displayed as popups by the Bullseye Network portion of the software while it has a BHO (browser hijacker object) component to handle 404 errors in the form of a web site called Navisearch. All of these products are part of the Bargain Buddy package run by eXact Advertising.
    PC Hell
    PC Registered user # 2,336,789,457...

    "When the water reaches the upper level, follow the rats."
    Claude Swanson

  9. #19
    Senior Member
    Join Date
    Mar 2004
    Posts
    171

    Re: Virus Evades Panda & Kapersky

    [i]
    So this server already has Panda installed, so I ran a scan. Found 0 infected files. So next I tried online scans -- Housecall wouldn't run for some reason, but I got the Kapersky online scan to run. Interestingly enough, Kapersky found 4 infected files that Panda never caught; however, after even removing those, I still have tons of update.exe processes running.

    You can kill the processes, but they immediately crank right back up.

    So next I ran Spybot, and it found a handful of problems as well, but still failed to do anything about update.exe. Meanwhile, all these processes continue to eat away at ther server's memory.[/B]
    Going back to the orginal post, it really isnt that unusual for one AV snaner to miss an infection, while another picks right up on it. I have had McAfee has blown right past a number of invections, and Norton's AV has caught them. Or both have missed them and Housecall has gotten them. McAfee did surprize me in completely missing a older, well known infection.

    Case and point for tighing up access to that server and locking it down a bit.
    ~ I'm NOT insane! I've just been in a bad mood for the last 30 years! ~ Somepeople are like Slinky's: Not good for anything, but the thought of pushing them down the stairs brings a smile to your face!

  10. #20
    Originally posted here by morganlefay
    I highly doubt that the problem the OP had was infected by a worm....because I have seen this before on many a workstation...although never on a server

    <snip>

    MHO..as always

    MLF
    I agree with what you said to the original poster, but I was simply stating and giving a personal example of how your assumption could be wrong. Yes, daily patching and email monitoring, and AUP, and all that will help. However, there are more ways to infect a host than by allowing a user to open a browser.

    I was simply posting an alternative that I have experienced in the past.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •