Hello All:

For the past several days, our virus software has found and deleted a
backdoor trojan which was destined for our webserver. This came from the
outside, not in since no other clients on the network show any signs of
infections.

My question is this. How are these files being sent to the server. Is it
possible that they are coming in on port 80?
If not, how?

Thanks

KC

[ Post a follow-up to this message ]

It is possible (and very likely) that they are coming in over TCP port 80
(or UDP 53 -- used for DNS resolution).

Viruses will use ports that are likely to be opened (as mentioned TCP 80,
TCP 443, UDP 53, TCP 25, ...).

When I setup servers for my customers, I usually try to define rules on the
firewall that would prevent complete access to the internet from the servers
(but not the other way -- access from the internet to the server so that
visitors are able to access public websites). This way, I can prevent
administrators surfing the internet from the server and getting infected
from web sites (protects from viruses, spyware etc).
This doesn't prevent infection that would come from inside (e.g. internal
network)...

--
Mike
Microsoft MVP - Windows Security

"KC" <noemail@nospam.com> wrote in message
news:Ow6jqmdGFHA.3964@TK2MSFTNGP14.phx.gbl...
> Hello All:
>
> For the past several days, our virus software has found and deleted a
> backdoor trojan which was destined for our webserver. This came from the
> outside, not in since no other clients on the network show any signs of
> infections.
>
> My question is this. How are these files being sent to the server. Is it
> possible that they are coming in on port 80?
> If not, how?
>
> Thanks
>
> KC
>
>

[ Post a follow-up to this message ]

Thanks
"Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
news:uZgV8ufGFHA.2472@TK2MSFTNGP10.phx.gbl...
> It is possible (and very likely) that they are coming in over TCP port 80
> (or UDP 53 -- used for DNS resolution).
>
> Viruses will use ports that are likely to be opened (as mentioned TCP 80,
> TCP 443, UDP 53, TCP 25, ...).
>
> When I setup servers for my customers, I usually try to define rules on
> the firewall that would prevent complete access to the internet from the
> servers (but not the other way -- access from the internet to the server
> so that visitors are able to access public websites). This way, I can
> prevent administrators surfing the internet from the server and getting
> infected from web sites (protects from viruses, spyware etc).
> This doesn't prevent infection that would come from inside (e.g. internal
> network)...
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "KC" <noemail@nospam.com> wrote in message
> news:Ow6jqmdGFHA.3964@TK2MSFTNGP14.phx.gbl... 
>
>

[ Post a follow-up to this message ]

To expound on this...I have a web server and FTP server in my DMZ.....every
morning, I see the alert that NAV has found an deleted a virus during a
realtime scan. This is not happening by surfing the web and I cannot figure
out where the source of this virus is coming from. The machines are locked
down and only necessary ports are open.  I've checked registries on all
affected machines and can't find anything out of the ordinary.
Does this suggest that someone is connect to the machine at that time
actually trying to drop the executable ?
"KC" <none@nospam.com> wrote in message
news:OKyNw$fGFHA.2416@TK2MSFTNGP14.phx.gbl...
> Thanks
> "Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
> news:uZgV8ufGFHA.2472@TK2MSFTNGP10.phx.gbl... 
>
>

[ Post a follow-up to this message ]

Hi,

It is impossible to tell for sure, but yes it is possible that something is
connecting to your server and is trying to infect it.

You also have to know that someone could surf the internet few days, weeks,
months ago, infected the server and the problem is still there.

Can you tell me what virus is NAV reporting?

--
Mike
Microsoft MVP - Windows Security

"KC" <none@nospam.com> wrote in message
news:uVHGA9lGFHA.1396@TK2MSFTNGP10.phx.gbl...
> To expound on this...I have a web server and FTP server in my
> DMZ.....every morning, I see the alert that NAV has found an deleted a
> virus during a realtime scan. This is not happening by surfing the web and
> I cannot figure out where the source of this virus is coming from. The
> machines are locked down and only necessary ports are open.  I've checked
> registries on all affected machines and can't find anything out of the
> ordinary.
> Does this suggest that someone is connect to the machine at that time
> actually trying to drop the executable ?
> "KC" <none@nospam.com> wrote in message
> news:OKyNw$fGFHA.2416@TK2MSFTNGP14.phx.gbl... 
>
>

[ Post a follow-up to this message ]

One day it is fhgj.exe, next day ghfnt.exe etc etc. randomly generated exe
file.....listed in NAV as a trojan dropper. The source is not internal so it
must be some type of external connection. I have scoured through the server
for any signs of compromise and cannot anything. This is concerning me as it
clearly seems it is an external connection causign this. I will have to note
the real time detection and perhaps run a sniffer at that time to see where
the connection is coming from.

Any other insight would be appreciated.


"Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
news:O8wlVQqGFHA.3916@TK2MSFTNGP12.phx.gbl...
> Hi,
>
> It is impossible to tell for sure, but yes it is possible that something
> is connecting to your server and is trying to infect it.
>
> You also have to know that someone could surf the internet few days,
> weeks, months ago, infected the server and the problem is still there.
>
> Can you tell me what virus is NAV reporting?
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "KC" <none@nospam.com> wrote in message
> news:uVHGA9lGFHA.1396@TK2MSFTNGP10.phx.gbl... 
>
>

[ Post a follow-up to this message ]

Can you run system scan and also check for spyware on your server.

If you have an option, prevent access from the server to the internet on
your firewall.

Also change passwords, check for additional accounts on the server, unknown
services and processes running, ...

Run this tool on your server
http://www.sysinternals.com/ntw2k/f...kitreveal.shtml

--
Mike
Microsoft MVP - Windows Security

"KC" <none@nospam.com> wrote in message
news:enGg3EzGFHA.2976@TK2MSFTNGP15.phx.gbl...
> One day it is fhgj.exe, next day ghfnt.exe etc etc. randomly generated exe
> file.....listed in NAV as a trojan dropper. The source is not internal so
> it must be some type of external connection. I have scoured through the
> server for any signs of compromise and cannot anything. This is concerning
> me as it clearly seems it is an external connection causign this. I will
> have to note the real time detection and perhaps run a sniffer at that
> time to see where the connection is coming from.
>
> Any other insight would be appreciated.
>
>
> "Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
> news:O8wlVQqGFHA.3916@TK2MSFTNGP12.phx.gbl... 
>
>

[ Post a follow-up to this message ]

Done all of this and came up negative. What I found interesting is running
netstat -a, connection outbound to HTTP....once I cut that off on the
firewall, all of this nonesense has stopped. But the million dollar question
is.....how or what was running to cause my server to connect to distant
http....which I'm sure was where the virus was coming from.

"Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
news:%23npYbd2GFHA.3376@TK2MSFTNGP14.phx.gbl...
> Can you run system scan and also check for spyware on your server.
>
> If you have an option, prevent access from the server to the internet on
> your firewall.
>
> Also change passwords, check for additional accounts on the server,
> unknown services and processes running, ...
>
> Run this tool on your server
> http://www.sysinternals.com/ntw2k/f...kitreveal.shtml
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "KC" <none@nospam.com> wrote in message
> news:enGg3EzGFHA.2976@TK2MSFTNGP15.phx.gbl... 
>
>

[ Post a follow-up to this message ]

Hi,

Check the processes that are running on the server (you can see them in Task
Manager on Processes tab). Investigate any suspicious processes - determine
if that processes should be there or not.

Another tool that can show you running processes (with more information than
Task Manager) is Processes Explorer from Sysinternals.com. With this tool
you can see from where the processes is running (e.g. is the service running
from "strange" folders like c:\temp or c:\ or ...)

http://www.sysinternals.com/ntw2k/f...e/procexp.shtml

--
Mike
Microsoft MVP - Windows Security

"KC" <none@nospam.com> wrote in message
news:e6Hgwt5GFHA.3244@TK2MSFTNGP09.phx.gbl...
> Done all of this and came up negative. What I found interesting is running
> netstat -a, connection outbound to HTTP....once I cut that off on the
> firewall, all of this nonesense has stopped. But the million dollar
> question is.....how or what was running to cause my server to connect to
> distant http....which I'm sure was where the virus was coming from.
>
> "Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
> news:%23npYbd2GFHA.3376@TK2MSFTNGP14.phx.gbl... 
>
>

[ Post a follow-up to this message ]