Re: ServU-deamon trojan warning with McAfee

From: Marina Roos [SBS-MVP] (marina_at_roos.nodontwantspam.nl.com)
Date: 09/28/04 

Date: Tue, 28 Sep 2004 12:59:38 +0200

Hi Fred,

FTP FTP FTP.

You did it to yourself by having FTP server on your SBS box without the
least security. Did you have port 21 open on your server? Which other
ports? 

-- 
Regards,
Marina
Microsoft SBS-MVP
"Fred Blum" <h.f.blum@marketconnectnospam.nl> schreef in bericht
news:uc4DbKUpEHA.1164@TK2MSFTNGP10.phx.gbl...
>
> We found two ServU-deamon trojans on our SBS server. This type of trojan
is
> NOT standard detected by McAfee VirusScan 4.5 or V7.
>
> Go to http://vil.nai.com/vil/content/v_125021.htm for information on how
to
> configure V7 to detect this type of program. With 4.5  run the command
line
> scanner with the /PROGRAM switch.
>   1.. Click the START button
>   2.. Click RUN
>   3.. Type COMMAND and hit ENTER
>   4.. Type:
>
>   c:\progra~1\common~1\networ~1\viruss~1\4.0.xx\scan.exe c: /program /sub
>
>   and hit ENTER.
> The first one was picked up while not yet running as svchost.exe in the
> directory C:\winnt\system32\spool\nt\svchost.exe by our scanner. Running a
> full scan we found regedit.exe in the system32 directory. This instance
was
> started as a service in the registry. As a symptom regedit would not
start.
> This problem occured about half a year ago. So since half a year we have
> been running a FTP server on our server.
>
> The question is how we came infected? And what damage can the do running a
> FTP server on our SBS box?
> The regedit.exe infection occured around the time the sasser patch came
> available. According to the MS site our server was infected. Our virus
scan
> software didn't pick up this infection altough the DAT file included the
> description for sasser. So during the time of sasser and the patch coming
> available we could have been infected.
> How did svchost.exe infect our system? We are fully patched and our
> virusscanner is uptodate. The FTP trojan could be the cause. But what
would
> be the point in loading two FTP trojans? According to our System
Intregrator
> visting a webiste with IE on this server could be a cause aswell. IE is
only
> used as an exeption while vistiting the microsoft site to look up the
> techdoc's. On that day I made a typo and ended up at the www.micorsoft.com
> website. IE is patched aswell to the latest level.
>  ISA, SQL and Exchange are patched to the latest level. I'm worried that
ISA
> is not doing a sufficient job. Is there a best pratice tool for ISA? Or a
> document what ports need to be opened and for what reason? How can
specific
> ports be made Stealth?
>
> TIA,
>
> Regards,
>
> Fred
>
>
>
>
>
>
>
>
>