On Wed, 9 Jan 2002, Nutcase_69 wrote:
> We have an application server running NT 4.0. We found the file serv.exe on
> it and I know that this could be an indication of a Trojan. We deleteed the
> file and when we rebooted, the file re-appeared. I trying to find out if
> anybody know what Trojan might display this activity? I thaught it was
> freak but that seemed old and I didn''t think that it could regenerate the
> .exe Any Answers?
Standard procedure in case of a brakin that can't be identified is to take
the server off line. Store the disk. Perhaps salvage some data later and
install a replacement server.
If you are not 100% sure you can't risk leaving backdoor, timebombs, ....
on your server.
Trust Murphy to strike harder when you have have ignored his laws.
Hugo.
--
All email send to me is bound to the rules described on my homepage.
hvdkooijat_private http://hvdkooij.xs4all.nl/
Don't meddle in the affairs of sysadmins,
for they are subtle and quick to anger.
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 15:00:31 PST