Nasty Trojan / Virus HELP! :(

[Euclid]

nothing more to really add I just wanted to say that this is by far the best post i have read in a while. Not saying that other posts are crap, im just saying that i enjoyed reading this. Very informative.

[darkewolfe]

You may want to check the following locations in your registry, these are the mose common places trojans (and legit apps too) will place entries:

For W2k Server...
My Computer\Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run
My Computer\Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\RunOnce
My Computer\Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\RunOnceEX

You've aleady gone through your list of services, you can also check your start up folder, though I doubt it would be in there.

You can also use the command ' netstat -a ' that will show you what ports you have listening, and more importantly, what ports have established connections and to whom.

I would suggest possibly getting this box behind a firewall. If it's directly connected to the DSL modem, then I'd suggest a firewall like Sygate 5 PRO or something similar (I like the way Sygate displays individual connections, and the ability to point and kill a connection). It will take a little time to set up a firewall, but the good thing is, if you configure the firewall correctly, it will prevent alot of trojan apps from getting out, as well as protect you from incoming attacks. Good luck.

[jared_c]

OK... Here is the update for you people. I wiped out the system yesterday, and did a fresh install of Windows 2000 Server.

Here is a check list of what I did security wise:

Installed only necessary components for the web server.
Installed service pack 2, and security roll up package, along with critical updates after that.
Deleted the IIS sample files
Unmapped the extensions that don't get used by IIS, .htw, .htr, etc...
Deleted the virtual directories that get automatically created with IIS.
Disabled NETBIOS over TCP/IP
Administrative shares and anonymous access restricted
Disabled anonymous access to the registry by editing a key in the registry.
Installed Norton AntiVirus Enterprise
Made sure any FTPs did not allow anonymous access.
Renamed Admin login
Used different passwords from the last box, and all passwords contain letters and numbers

And that pretty much sums it up... Tonight I am going to install AATools, and get a better look at what ports are being opened by what processes. I am going to look into those services in more detail and see if I need them on.

Is there anything else that you guys would suggest doing, or anything I may have forgotten from my check list? Thanks.

[zigar]

i'd suggest 2 tools from m$ (and they're free even... )

IIS lockdown and urlscan (which is now at v2 i think)....


lockdown will scan all running services and has several levels of security...it will disable any unneeded services based on the security level you choose...


urlscan is a tool which scans all incoming url requests for "badness" and prevents them from getting to IIS...

The tool, URLScan, screens all incoming requests to the server, and filters them based on rules set by the administrator. This secures the server by ensuring that only valid requests are processed.

URLScan is effective in protecting web servers because most attacks share a common characteristic – they involve the use of a request that’s unusual in some way. For instance, the request might be extremely long, request an unusual action, be encoded using an alternate character set, or include character sequences that are rarely seen in legitimate requests. By filtering out all unusual requests, URLScan prevents them from reaching the server and potentially causing damage.

http://www.microsoft.com/windows2000...an/default.asp