I have a dell box running server 2003 sp1, and my network folks tell me that
it has been compromised by a Trojan.  They see outbound traffic over port
220. their solution is to take the machine down and reformat the drive.
There has got to be another way.   how do I block this port?  Outbound
firewall?  Any suggestions would be appreciated.  Thanks.

[ Post a follow-up to this message ]

Best would be to rid the box of the Trojan -- who know what else it is doing
besides sending traffic out 220!
If your AV did not find it then try ClamWin (http://clamwin.com) and/or
Microsoft's new AntiSpyWare Beta (http://www.microsoft.com/)


"id3ego2" <id3ego2@discussions.microsoft.com> wrote in message
news:C8060435-609A-447D-B9DA-D65F9C343702@microsoft.com...
> I have a dell box running server 2003 sp1, and my network folks tell me
that
> it has been compromised by a Trojan.  They see outbound traffic over port
> 220. their solution is to take the machine down and reformat the drive.
> There has got to be another way.   how do I block this port?  Outbound
> firewall?  Any suggestions would be appreciated.  Thanks.

[ Post a follow-up to this message ]

On Mon, 9 May 2005 08:48:02 -0700, "id3ego2"
<id3ego2@discussions.microsoft.com> wrote:

>I have a dell box running server 2003 sp1, and my network folks tell me tha
t
>it has been compromised by a Trojan.  They see outbound traffic over port
>220. their solution is to take the machine down and reformat the drive.
>There has got to be another way.   how do I block this port?  Outbound
>firewall?  Any suggestions would be appreciated.  Thanks.

First, the answer to your question:  To block a port, inbound or
outbound, simply don't open it in your firewall.  You don't actually
open ports that aren't needed do you?

As for your network folks, they're right.  If there is a trojan, the
system is compromised.  The prudent, responsible action is to flatten
the box and restore only known good data.

Jeff

[ Post a follow-up to this message ]

"id3ego2" <id3ego2@discussions.microsoft.com> wrote in message
news:C8060435-609A-447D-B9DA-D65F9C343702@microsoft.com...
>I have a dell box running server 2003 sp1, and my network folks tell me
>that
> it has been compromised by a Trojan.  They see outbound traffic over port
> 220. their solution is to take the machine down and reformat the drive.
> There has got to be another way.   how do I block this port?  Outbound
> firewall?  Any suggestions would be appreciated.  Thanks.

Reformating is your last option.
Remove the trojan with tools listed in post above and if you want to block
outbound traffic via 220 use IPsec policy.

Dra

[ Post a follow-up to this message ]

Reformatting may, or may not be the last option. It really depends on how
critical this server is, and how important the data/apps that are on it are.
Removing the trojan might still leave 20 other backdoors into the system
that the attacker can use to re-establish themselves once the cleanup has
been done. Reformatting returns the system to a known-good configuration.
That might be necessary if OP can't risk having the possibility of other
trojans/backdoors/rootkits/etc on the box.

Cheers
Ken

--
Blog: www.adopenstatic.com/cs/blogs/ken/
Web: www.adopenstatic.com

"Drasko Ivanisevic" <drasko.ivanisevic@online.zg.t-com.hr (remove online.)>
wrote in message news:ecg2jqiVFHA.2796@TK2MSFTNGP09.phx.gbl...
: "id3ego2" <id3ego2@discussions.microsoft.com> wrote in message
: news:C8060435-609A-447D-B9DA-D65F9C343702@microsoft.com...
: >I have a dell box running server 2003 sp1, and my network folks tell me
: >that
: > it has been compromised by a Trojan.  They see outbound traffic over
port
: > 220. their solution is to take the machine down and reformat the drive.
: > There has got to be another way.   how do I block this port?  Outbound
: > firewall?  Any suggestions would be appreciated.  Thanks.
:
: Reformating is your last option.
: Remove the trojan with tools listed in post above and if you want to block
: outbound traffic via 220 use IPsec policy.
:
: Dra
:
:

[ Post a follow-up to this message ]

"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:uBTcI4iVFHA.2684@TK2MSFTNGP09.phx.gbl...
> Reformatting may, or may not be the last option. It really depends on how
> critical this server is, and how important the data/apps that are on it
> are.
> Removing the trojan might still leave 20 other backdoors into the system
> that the attacker can use to re-establish themselves once the cleanup has
> been done. Reformatting returns the system to a known-good configuration.
> That might be necessary if OP can't risk having the possibility of other
> trojans/backdoors/rootkits/etc on the box.
>
> Cheers
> Ken

I agree!

Dra

[ Post a follow-up to this message ]

On Wed, 11 May 2005 15:09:08 +0200, "Drasko Ivanisevic"
<drasko.ivanisevic@online.zg.t-com.hr (remove online.)> wrote:

>"id3ego2" <id3ego2@discussions.microsoft.com> wrote in message
>news:C8060435-609A-447D-B9DA-D65F9C343702@microsoft.com... 
>
>Reformating is your last option.
>Remove the trojan with tools listed in post above and if you want to block
>outbound traffic via 220 use IPsec policy.

What about the other trojans and backdoors?  You say there aren't any?
How do you know?  You didn't know about this one until someone told
you..

The point being, what you don't know, will hurt you.

Jeff

[ Post a follow-up to this message ]