On Wed, 9 Jan 2002, Nutcase_69 wrote: > We have an application server running NT 4.0. We found the file serv.exe on > it and I know that this could be an indication of a Trojan. We deleteed the > file and when we rebooted, the file re-appeared. I trying to find out if > anybody know what Trojan might display this activity? I thaught it was > freak but that seemed old and I didn''t think that it could regenerate the > .exe Any Answers? Standard procedure in case of a brakin that can't be identified is to take the server off line. Store the disk. Perhaps salvage some data later and install a replacement server. If you are not 100% sure you can't risk leaving backdoor, timebombs, .... on your server. Trust Murphy to strike harder when you have have ignored his laws. Hugo. -- All email send to me is bound to the rules described on my homepage. hvdkooijat_private http://hvdkooij.xs4all.nl/ Don't meddle in the affairs of sysadmins, for they are subtle and quick to anger. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 15:00:31 PST