|
-
July 28th, 2006, 03:17 PM
#11
The ip address for "7oo.meibu.com" is 222.133.185.232. You could check your logs for any connections there.
I ran 222.133.185.232 thru apnic.net's site and also visited the ip address via Firefox. Jiagoo.com uses that ip address, hosted by China Network Communications Group Corporation. CNCGC owns a range of ip addresses: 222.132.0.0 - 222.135.255.255
Might block anything in the range in your FW (unless you're doing business with someone in China).
edit -- looking at dalek's McAfee links, these trojans are ranked low risk.
“Everybody is ignorant, only on different subjects.” — Will Rogers
-
July 28th, 2006, 05:36 PM
#12
Junior Member
I don't athink that trojan should be considered "low-risk".
If it's able to spawn a command shell with Local System privileges and can accept remote commands to shutdown/reboot a server, that's a pretty high-risk trojan IMO.
-
July 28th, 2006, 06:02 PM
#13
hucast21...you are very right
My question is ....how does a trojan get into a server.....in the first place...and the system dir to boot.
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
July 28th, 2006, 06:50 PM
#14
Junior Member
Trojans on the server can be caused by many things:
Viruses/worms out in the wild that drop trojans during their payload, creating botnets.
Network admin surfs the net using the server instead of a workstation. (You'd be surprisd on how many do this...) While surfing, he/she comes across a website that has a 0-day exploit for IE in its code, installing the trojan from there.
Trojans posing to be legitimate applications. Can be spread via email, IM, or P2P networks like Bearshare, Kazaa, Limewire, etc.
Those are some ways off the top of my head.
-
July 28th, 2006, 07:12 PM
#15
Thanks.... 
I am well aware how these things happen....my point was that the server is obviously be used as a workstation.....
BackDoor-CKB-
When run.....................
BackDoor-CPX
Upon execution
Somebody clicked on something.... 
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
July 28th, 2006, 07:22 PM
#16
Junior Member
Gotcha. 
I misunderstood your post, sorry about that.
-
July 28th, 2006, 07:26 PM
#17
This server is a application server that houses mostly engineering apps. It does not host email of any kind.
Oh......I think I figured it out........Engineers
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
July 28th, 2006, 09:33 PM
#18
Here's the other half of my 'two bits':
1) Clean it up. Try an online scan (Trendmicro or Panda) to get a second opinion, too. Clean up all the temp chit, too.
2) Run MS's Port Reporter on that server if you got the time for another log file. It might be the app you're looking for.
3) Dust off the backups if you got to go to Plan B.
“Everybody is ignorant, only on different subjects.” — Will Rogers
-
July 28th, 2006, 10:20 PM
#19
Junior Member
3) Dust off the backups if you got to go to Plan B.
A word of caution about backups: He might not to be able to pinpoint when the trojan was installed on the server. The intruder could've connected to the backdoor and installed even more files. The server would then make successful backups of the compromised files.
So, at a server break-in, it's kind of hard to trust your backups.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote