-
March 31st, 2006, 07:11 PM
#11
I disagree with this assumption. It could have been introduced from a user clicking an email somewhere else on the network and then wormed it's way onto the server through an exploit. Ever hear of Code Red?
Well.....why does that so called user have those kind of prilledges on the network\server...to be able to run an exe on a server...
I am sorry.....can you explain???
I have seen worms infect open shares...because the users have full control rights to them....
Users on networks should not have administrative access to a server....
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
March 31st, 2006, 08:06 PM
#12
Personally I agree with TS (and everyone else) that the box needs to come down, but just as important, the end users need to know WHY it is comming down, and I dont think I would go out of my way to make it painless.
Remotely dealing with this issue is a bad idea at best.
~ I'm NOT insane! I've just been in a bad mood for the last 30 years! ~ Somepeople are like Slinky's: Not good for anything, but the thought of pushing them down the stairs brings a smile to your face!
-
March 31st, 2006, 08:29 PM
#13
Member
Originally posted here by morganlefay
Well.....why does that so called user have those kind of prilledges on the network\server...to be able to run an exe on a server...
I am sorry.....can you explain???
I have seen worms infect open shares...because the users have full control rights to them....
Users on networks should not have administrative access to a server....
MLF
The user doesn't need access to the server for a worm to infect a server with a known exploit. Code Red spread across the internet via an exploit in the IIS service. I certainly had no special access to an internet server out on the web, but if I was infected with Code Red, and the server was not patched, I would infect it, without my knowing it. All on Port 80.
http://www.cert.org/advisories/CA-2001-19.html
Look up Reatle too. I had three servers that I use get infected with that, and those servers have never been connected to the Internet, their browsers were never configured. There are 6 people with access to the servers, and none with admin access. Reatle came into my company's network via an email sent to a user in Singapore, and within 12 hours, computers all over the internal network were infected. Obviously the server admins were lax in applying security patches, but hey, stuff gets missed from time to time.
It's not just about network shares, and shell access / remote desktop access anymore. If a worm can take advantage of an exploit in the OS, it can spread without a user having access to the system in any shape or form.
-
March 31st, 2006, 08:35 PM
#14
Junior Member
after you clean your server up, i would suggest that you implement proper security access controls because someone has too many privliages on your network to allow this to get on a production device.
-
March 31st, 2006, 08:38 PM
#15
If I might chime in here....
JC: Yep... Theoretically you are correct... But... 99% of the time non-publicly available servers are compromised by their idiot admins/users using the server like it was a workstation... and running in the context of an administrator...
That's the point dear Mistress LeFay is trying to, quite correctly, make... in her roundabout way...
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
March 31st, 2006, 08:43 PM
#16
Junior Member
-
March 31st, 2006, 08:58 PM
#17
I highly doubt that the problem the OP had was infected by a worm....because I have seen this before on many a workstation...although never on a server
A quick google search
Process File: update or update.exe
Description:
update.exe is registered as the W97M.Exedrop downloader. This process usually comes bundled with a virus and it’s main role is to do nothing other than download other viruses to your computer. It is a registered security risk and should be removed immediately.
Note: update.exe is also a process belonging to the BargainBuddy advertising program by eXact Advertising LLC. This process monitors your browsing habits and distributes the data back to the author's servers for analysis. This also prompts advertising popups. This program is a registered security risk and should be removed immediately.
From
http://www.liutilities.com/products/...ibrary/update/
AFAIK....this happened through clickty click click click...whether on a website or in an email....does not matter.
Usually this kind of program can not infect unless someone with admin privledges clickity clicked it
and the server was not patched
Well...there we find the problem and why your server became infected in the first place...sloppy admin policy
Proper patching, monitoring etc should slowdown and\or prevent this from happening.
Filtering of email , AUP, monitoring of the network and the constant OS, Application and AV updates
Yes infections do happen...but can be easily contained if your network is properly configured.
Yes its a constant battle....
Keeps me in wine
MHO..as always
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
March 31st, 2006, 09:05 PM
#18
Yeah that's why I pointed out "Bargain Buddy", it's a Browser Highjacker, remember that stupid parrott (Bonzi) that was around a few years ago, kids loved it, so everyone downloaded it along with the baggage.....
MLF is correct, a user had too much free time and too many rights....
What is Bargain Buddy?
Bargain Buddy AKA Cashback by Bargain Buddy is a piece of adware that allows you to receive a rebate on purchases from participating merchants. Relevant ads are displayed as popups by the Bullseye Network portion of the software while it has a BHO (browser hijacker object) component to handle 404 errors in the form of a web site called Navisearch. All of these products are part of the Bargain Buddy package run by eXact Advertising.
PC Hell
PC Registered user # 2,336,789,457...
"When the water reaches the upper level, follow the rats."
Claude Swanson
-
March 31st, 2006, 09:22 PM
#19
Re: Virus Evades Panda & Kapersky
[i]
So this server already has Panda installed, so I ran a scan. Found 0 infected files. So next I tried online scans -- Housecall wouldn't run for some reason, but I got the Kapersky online scan to run. Interestingly enough, Kapersky found 4 infected files that Panda never caught; however, after even removing those, I still have tons of update.exe processes running.
You can kill the processes, but they immediately crank right back up.
So next I ran Spybot, and it found a handful of problems as well, but still failed to do anything about update.exe. Meanwhile, all these processes continue to eat away at ther server's memory.[/B]
Going back to the orginal post, it really isnt that unusual for one AV snaner to miss an infection, while another picks right up on it. I have had McAfee has blown right past a number of invections, and Norton's AV has caught them. Or both have missed them and Housecall has gotten them. McAfee did surprize me in completely missing a older, well known infection.
Case and point for tighing up access to that server and locking it down a bit.
~ I'm NOT insane! I've just been in a bad mood for the last 30 years! ~ Somepeople are like Slinky's: Not good for anything, but the thought of pushing them down the stairs brings a smile to your face!
-
April 1st, 2006, 03:51 AM
#20
Member
Originally posted here by morganlefay
I highly doubt that the problem the OP had was infected by a worm....because I have seen this before on many a workstation...although never on a server
<snip>
MHO..as always
MLF
I agree with what you said to the original poster, but I was simply stating and giving a personal example of how your assumption could be wrong. Yes, daily patching and email monitoring, and AUP, and all that will help. However, there are more ways to infect a host than by allowing a user to open a browser.
I was simply posting an alternative that I have experienced in the past.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|