-
October 23rd, 2008, 07:16 AM
#1
Portable App
Hey all
Yesterday our network got hit very hard by some malware. Panda Corporate didn't spot it and neither did our perimeter defense. Everyone is "trying" to blame someone , blocking Gmail etc.
Now instead of fixing the problem the idiot would rather try and "plug" a hole rather than admit than the AV we have implemented is totally crap.
An AVG PC with an outdated database was able to detect everything on my flash drive.
Anyhow on my workstation AVG is cleaning things up, however there are 2 production servers left which the boss is on my head for.
1st server is running stable at the moment.
2nd server keeps on going into standby mode for some reason, I have checked the power settings etc and everything is fine, I would assume this is malware based. Every 20 seconds it will go into standby and will pause the work/scan at hand.
Any ideas how to clean this in a timely manner?
Thanks
The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
Albert Einstein
-
October 23rd, 2008, 04:40 PM
#2
First, don't assume anything. It's not unusual to find concurrent issues
on any given PC, including servers.
Take a good look at the processes and services running on that server.
Google anything that doesn't look familiar. Shaking down a server like
that is a rather more formidable task than doing the same on a desktop.
You might try something like Portable Clamwin to doublecheck for any
viruses. That version is designed to run off a USB stick, but it's easily
copied to a HDD and run from there. It doesn't need a full-blown install
like most AV apps so it's easily installed with a minmum of registry changes.
It's not the greatest AV app, but it does give you a second opinion.
HTH.
“Everybody is ignorant, only on different subjects.” — Will Rogers
-
October 23rd, 2008, 06:27 PM
#3
I have seen workstations infected with viruses.......and yes...these can infect certain data areas on a server....
But I can still can not understand how a server becomes infected with a virus with out someone using it to read email or surf the world wide web using the all powerful administrator account....which is a nono ...basic security 101
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
October 25th, 2008, 04:40 PM
#4
Originally Posted by morganlefay
But I can still can not understand how a server becomes infected with a virus with out someone using it to read email or surf the world wide web using the all powerful administrator account....which is a nono ...basic security 101
I believe this was already covered
Originally Posted by Cider
Now instead of fixing the problem the idiot would rather try and "plug" a hole rather than admit than the AV we have implemented is totally crap.
A chain is only as strong as its weakest link. Same goes for networks, and the programs intended to protect them.
CTO
"Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
- Albert Einstein
-
October 25th, 2008, 07:41 PM
#5
I believe this was already covered
I must be missing it then????
How did the server become infected???
maybe you can splain it to me....
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
October 26th, 2008, 05:29 AM
#6
Originally Posted by Cider
Yesterday our network got hit very hard by some malware. Panda Corporate didn't spot it and neither did our perimeter defense. Everyone is "trying" to blame someone , blocking Gmail etc.
Now instead of fixing the problem the idiot would rather try and "plug" a hole rather than admit than the AV we have implemented is totally crap.
An AVG PC with an outdated database was able to detect everything on my flash drive.
The server became infected, as Cider believes, because the AV protection they employed was crap and did not do the job..... Much like hiring a night watchman who sleeps on the job - The theives just slip right by.
Why the server became infected, simply is the nature of the www - ?
I think Cider's beef is the fact the id10t would rather apply a fix to the issue, now and give the night watchman a stern talking to - as opposed to replacing them with a more secure, highly thought of product - Trend would be a nice way to go i think.
CTO
"Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
- Albert Einstein
-
October 26th, 2008, 06:34 AM
#7
What was executed ...with administrator privledges...on a server?? and how?
What was the role of this server??
How did the lack of a AV cause an infection?? It is a reactive approach?
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
October 26th, 2008, 08:51 AM
#8
http://www.malwarebytes.org/
By far THE best scanner....Good Luck!
"It is a shame that stupidity is not painful" - Anton LaVey
-
October 26th, 2008, 09:09 PM
#9
Hi Cider, long time no talk.....sorry about that............. will explain later.
Yesterday our network got hit very hard by some malware. Panda Corporate didn't spot it and neither did our perimeter defense. Everyone is "trying" to blame someone , blocking Gmail etc.
Hey, welcome to the world of corporate management pal, and the "blame culture".
Now instead of fixing the problem the idiot would rather try and "plug" a hole rather than admit than the AV we have implemented is totally crap.
As I see it, the guy is at least a half right. Hell, you obviously do have a "hole" somewhere in your defences. You need to examine:
1. Your security model and policies.
2. Your processes to implement that model.
3. Your procedures to support those processes.
4. Your software and manual activities support your procedures.
5. Your audit, management and enforcement processes support your policies and its infrastructure.
Security is a layered approach that requires commitment at all levels of an organisation. You cannot buy it off a supermarket shelf like a box of breakfast cereals, and there is no "magic bullet" solution; despite what some vendors would like you to believe.
You need to look at what attacked you, how it got there, and how it spread. That will tell you where the gaps are. Fix those gaps and then, and only then, can you publicly execute the culprits
Please remember that if you have a home user, or small business security suite, it is largely pre-configured to provide a reasonable level of protection. Corporate solutions, on the other hand are generally pretty useless out of the box, as there is no way the vendor can make reasonable assumptions regarding corporate architectures.
If you accept that; then the problem is more likely to be the way that the system was implemented than the product itself. I am sure that you will appreciate this more if you consider firewalls on there own? If you don't know how to set one up, it is worse than useless, as it lulls you into a false sense of security.
MLF has some good questions.............. what was the malware, and what was the server's role?
Please remember that you have an "enemy within" and if you let them bring external crap into the company, read their private e-mail, attach unauthorised devices, install unauthorised software, visit their Facebook or other crap, trade on e-bay, and on and on and on............... then just make sure that they know that it is an instant dismissal offence and that they sign up (at least once every 3 months) to the fact that they haven't forgotten that.
-
October 27th, 2008, 08:30 AM
#10
Hey all,
I havent read all the posts, I will do so and reply to everyones post.
Basically This malware was copying every file in the directory it was in. For instance in the root of C, it would copy every file whether it was a dll, word doc or whatever , it would change it to a .exe. All the files that were created either were 631 kb in size or 218 and were modified on the same day.
Basically I uninstalled our AV and put on AVG protection for file servers. This cleaned up everything and landed up with 2.5k infected files. There were the ones that got duplicated.
This is to answer MLF.
Both our servers are logged on with ADMINISTRATOR at all times. Dont ask my why. I believe it started duplicating files on a share that the marketing department uses and then just spread like wild fire.
The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
Albert Einstein
Similar Threads
-
By C:\Saw in forum Operating Systems
Replies: 5
Last Post: February 20th, 2008, 07:26 PM
-
By acdspit00 in forum AntiOnline's General Chit Chat
Replies: 25
Last Post: September 8th, 2006, 10:33 AM
-
By treanglin in forum Security News
Replies: 1
Last Post: August 17th, 2006, 02:59 PM
-
By muert0 in forum Operating Systems
Replies: 1
Last Post: August 27th, 2004, 03:14 AM
-
By tampabay420 in forum Programming Security
Replies: 2
Last Post: February 14th, 2003, 02:36 PM
Tags for this Thread
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|