Re: Name that Trojan

From: Hugo van der Kooij (hvdkooijat_private)
Date: Wed Jan 09 2002 - 14:14:16 PST

  • Next message: Blake Frantz: "Re: Name that Trojan"

    On Wed, 9 Jan 2002, Nutcase_69 wrote:
    
    > We have an application server running NT 4.0.  We found the file serv.exe on
    > it and I know that this could be an indication of a Trojan.  We deleteed the
    > file and when we rebooted, the file re-appeared.  I trying to find out if
    > anybody know what Trojan might display this activity?  I thaught it was
    > freak but that seemed old and I didn''t think that it could regenerate the
    > .exe  Any Answers?
    
    Standard procedure in case of a brakin that can't be identified is to take 
    the server off line. Store the disk. Perhaps salvage some data later and 
    install a replacement server.
    
    If you are not 100% sure you can't risk leaving backdoor, timebombs, .... 
    on your server.
    
    Trust Murphy to strike harder when you have have ignored his laws.
    
    Hugo.
    
    -- 
    All email send to me is bound to the rules described on my homepage.
        hvdkooijat_private		http://hvdkooij.xs4all.nl/
    	    Don't meddle in the affairs of sysadmins,
    	    for they are subtle and quick to anger.
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 15:00:31 PST