A Broadband and ADSL forum. BroadbanterBanter

Welcome to BroadbanterBanter.

You are currently viewing as a guest which gives you limited access to view most discussions and other FREE features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today.

Go Back   Home » BroadbanterBanter forum » Newsgroup Discussions » uk.telecom.broadband (UK broadband)
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

uk.telecom.broadband (UK broadband) (uk.telecom.broadband) Discussion of broadband services, technology and equipment as provided in the UK. Discussions of specific services based on ADSL, cable modems or other broadband technology are also on-topic. Advertising is not allowed.

Trojan attacks - useful resources - ideas please



 
 
Thread Tools Display Modes
  #1  
Old December 10th 04, 12:43 PM posted to uk.telecom.broadband
Linker3000
external usenet poster
 
Posts: 108
Default Trojan attacks - useful resources - ideas please

Folks,

Several of my Win2K/SQL server systems have been trojaned to various
degrees over the last week or two - mostly ass*oles installing serv-u
FTP server, but a few have had the administrator password changed
(lovely!) - there seems to have been an increase in such activity over
the least 2 weeks or it is just my bad luck?

All servers are patched to the hilt as far as Win2K, SQL server and MSIE
are concerned and I'm trying to convince the powers that be to move
everyone over to FireFox (and Linux if I had my way!). Every site has a
firewall/NAT router and I'm currently looking at the blocking rules for
them to tighten things further.

Most of the trojans seem to pass by Symantec AV (Corporate) and some
sneak past Grisoft AVG7 - what's been useful is TrojanHunter, SpybotS&D,
AdAware, port monitoring tools from sysinternals and my own snooping
around processes, noticing suspicious files that have turned up on the
system and checking open ports etc.

OK, here's the main questions:

1) Can you recommend any good Web sites/newsgroups among the tons that
turn up in a Goole search where I might find some useful forums
discussing trojans, removal, security and current threats.

2) What tools are you using to check for open ports, remote connections,
monitor logins etc.? - I have a few I've been using, but any insight
would be grateful.

3) Is there a handy tool that can email me when a user logs in/out
and/or a service is stopped/started etc.? This would help me monitor all
the (14) sites. I am running Nagios for general server/broadband health
monitoring and I'm just going to have a read up to see if it can also
send such alerts so Nagios gurus are welcome to help me out here!

Thanks

L3K
  #2  
Old December 10th 04, 08:03 PM posted to uk.telecom.broadband
Colin Wilson
external usenet poster
 
Posts: 850
Default Trojan attacks - useful resources - ideas please

1) Can you recommend any good Web sites/newsgroups among the tons that
turn up in a Goole search where I might find some useful forums
discussing trojans, removal, security and current threats.


www.astalavista.box.sk

--
Please add "[newsgroup]" in the subject of any personal replies via email
--- My new email address has "ngspamtrap" & @btinternet.com in it ;-) ---
  #3  
Old December 11th 04, 06:19 PM posted to uk.telecom.broadband
Greg Hennessy
external usenet poster
 
Posts: 97
Default Trojan attacks - useful resources - ideas please

On Fri, 10 Dec 2004 12:43:50 +0000 (UTC), Linker3000
wrote:

Folks,

Several of my Win2K/SQL server systems have been trojaned to various
degrees over the last week or two - mostly ass*oles installing serv-u
FTP server, but a few have had the administrator password changed
(lovely!) - there seems to have been an increase in such activity over
the least 2 weeks or it is just my bad luck?


No, its chronic stupidity on your part for directly exposing ports
1433/1434 to the Internet.

There is absolutely *no* reason to directly expose a database server on a
routed Internet connection.

Zero,
None,
Nada,
Zilch,
SFA

Did Slammer not teach you anything ?

All servers are patched to the hilt as far as Win2K, SQL server and MSIE
are concerned and I'm trying to convince the powers that be to move
everyone over to FireFox (and Linux if I had my way!).


That wont save them from your obvious lack of clue.

It's not difficult to harden win2k to same level as the alternatives.
It's not rocket science to design infrastructure such that you do *not*
expose business critical infrastructure to the Internet.

Any design which requires you to put a database server directly on the
Internet is so flawed it warrants zero further consideration.

Any business which would sign off on such, deserves to go tits up.


greg
--
Yeah - straight from the top of my dome
As I rock, rock, rock, rock, rock the microphone
  #4  
Old December 11th 04, 08:00 PM posted to uk.telecom.broadband
Spin Dryer
external usenet poster
 
Posts: 291
Default Trojan attacks - useful resources - ideas please

On Fri, 10 Dec 2004 12:43:50 +0000 (UTC), [Linker3000] said :-

Folks,

Several of my Win2K/SQL server systems have been trojaned to various
degrees over the last week or two - mostly ass*oles installing serv-u
FTP server, but a few have had the administrator password changed
(lovely!) - there seems to have been an increase in such activity over
the least 2 weeks or it is just my bad luck?

All servers are patched to the hilt as far as Win2K, SQL server and MSIE
are concerned and I'm trying to convince the powers that be to move
everyone over to FireFox (and Linux if I had my way!). Every site has a
firewall/NAT router and I'm currently looking at the blocking rules for
them to tighten things further.

Most of the trojans seem to pass by Symantec AV (Corporate) and some
sneak past Grisoft AVG7 - what's been useful is TrojanHunter, SpybotS&D,
AdAware, port monitoring tools from sysinternals and my own snooping
around processes, noticing suspicious files that have turned up on the
system and checking open ports etc.

OK, here's the main questions:

1) Can you recommend any good Web sites/newsgroups among the tons that
turn up in a Goole search where I might find some useful forums
discussing trojans, removal, security and current threats.

2) What tools are you using to check for open ports, remote connections,
monitor logins etc.? - I have a few I've been using, but any insight
would be grateful.

3) Is there a handy tool that can email me when a user logs in/out
and/or a service is stopped/started etc.? This would help me monitor all
the (14) sites. I am running Nagios for general server/broadband health
monitoring and I'm just going to have a read up to see if it can also
send such alerts so Nagios gurus are welcome to help me out here!

Thanks

L3K



Are you serious ?

If so - employ someone who knows what they are doing, this is frankly
appalling.


I'm surprised your connection hasn't been suspended via your ISP by
gross stupidity and incompetence - or even been cancelled for being a
spam zombie.
  #5  
Old December 11th 04, 09:46 PM posted to uk.telecom.broadband
Linker3000
external usenet poster
 
Posts: 108
Default Trojan attacks - useful resources - ideas please

Greg Hennessy wrote:
On Fri, 10 Dec 2004 12:43:50 +0000 (UTC), Linker3000
wrote:


Folks,

Several of my Win2K/SQL server systems have been trojaned to various
degrees over the last week or two - mostly ass*oles installing serv-u
FTP server, but a few have had the administrator password changed
(lovely!) - there seems to have been an increase in such activity over
the least 2 weeks or it is just my bad luck?



No, its chronic stupidity on your part for directly exposing ports
1433/1434 to the Internet.

There is absolutely *no* reason to directly expose a database server on a
routed Internet connection.

Zero,
None,
Nada,
Zilch,
SFA

Did Slammer not teach you anything ?


All servers are patched to the hilt as far as Win2K, SQL server and MSIE
are concerned and I'm trying to convince the powers that be to move
everyone over to FireFox (and Linux if I had my way!).



That wont save them from your obvious lack of clue.

It's not difficult to harden win2k to same level as the alternatives.
It's not rocket science to design infrastructure such that you do *not*
expose business critical infrastructure to the Internet.

Any design which requires you to put a database server directly on the
Internet is so flawed it warrants zero further consideration.

Any business which would sign off on such, deserves to go tits up.


greg


Thanks for the pointless response based on your complete lack of
knowledge of my circumstances - for your information:

Unfortunately I inherited this setup when I joined the company 6 months
ago and I have voiced my concerns about it on numerous occasions.

We have a stupid number of SQL servers (14) replicating in clusters to
regional master databases and then these replicate to one master
database at HQ. I agree it's absurd but my hands are tied by historic
decisions and also the fact that the people who wrote and support the
front end app are so crap at database design and security that whenever
I bring up the subject of a more secure architecture they raise all
sorts of sumb-ass objections as to why it can't be done that the powers
that be in my organisation get cold feet and shy away from doing
anything about it.

Now, if you have anything USEFUL to add please go ahead....

L3K
  #6  
Old December 11th 04, 09:50 PM posted to uk.telecom.broadband
Linker3000
external usenet poster
 
Posts: 108
Default Trojan attacks - useful resources - ideas please

Spin Dryer wrote:
On Fri, 10 Dec 2004 12:43:50 +0000 (UTC), [Linker3000] said :-


Folks,

Several of my Win2K/SQL server systems have been trojaned to various
degrees over the last week or two - mostly ass*oles installing serv-u
FTP server, but a few have had the administrator password changed
(lovely!) - there seems to have been an increase in such activity over
the least 2 weeks or it is just my bad luck?

All servers are patched to the hilt as far as Win2K, SQL server and MSIE
are concerned and I'm trying to convince the powers that be to move
everyone over to FireFox (and Linux if I had my way!). Every site has a
firewall/NAT router and I'm currently looking at the blocking rules for
them to tighten things further.

Most of the trojans seem to pass by Symantec AV (Corporate) and some
sneak past Grisoft AVG7 - what's been useful is TrojanHunter, SpybotS&D,
AdAware, port monitoring tools from sysinternals and my own snooping
around processes, noticing suspicious files that have turned up on the
system and checking open ports etc.

OK, here's the main questions:

1) Can you recommend any good Web sites/newsgroups among the tons that
turn up in a Goole search where I might find some useful forums
discussing trojans, removal, security and current threats.

2) What tools are you using to check for open ports, remote connections,
monitor logins etc.? - I have a few I've been using, but any insight
would be grateful.

3) Is there a handy tool that can email me when a user logs in/out
and/or a service is stopped/started etc.? This would help me monitor all
the (14) sites. I am running Nagios for general server/broadband health
monitoring and I'm just going to have a read up to see if it can also
send such alerts so Nagios gurus are welcome to help me out here!

Thanks

L3K




Are you serious ?

If so - employ someone who knows what they are doing, this is frankly
appalling.


I'm surprised your connection hasn't been suspended via your ISP by
gross stupidity and incompetence - or even been cancelled for being a
spam zombie.


FTP site = spam zombie, yeah right.

You have obviously never inherited the kinda mess I have then - it's not
my setup and there's no way I'd have proposed anything like it - see my
reply to another thread hereabouts.

L3K

  #7  
Old December 11th 04, 09:55 PM posted to uk.telecom.broadband
Spin Dryer
external usenet poster
 
Posts: 291
Default Trojan attacks - useful resources - ideas please

On Sat, 11 Dec 2004 21:46:55 +0000, [Linker3000] said :-

Any business which would sign off on such, deserves to go tits up.


greg


Thanks for the pointless response based on your complete lack of
knowledge of my circumstances - for your information:

Unfortunately I inherited this setup when I joined the company 6 months
ago and I have voiced my concerns about it on numerous occasions.



Well, for 'your information' - not many here have crystal balls - how
on earth could anyone have known that ?

So, Slick, next time you post requiring information - mention
something relevant, ok ? Your pointless initial post implied your own
lack of ability.

  #8  
Old December 11th 04, 11:19 PM posted to uk.telecom.broadband
Greg Hennessy
external usenet poster
 
Posts: 97
Default Trojan attacks - useful resources - ideas please

On Sat, 11 Dec 2004 21:46:55 +0000, Linker3000
wrote:


That wont save them from your obvious lack of clue.

It's not difficult to harden win2k to same level as the alternatives.
It's not rocket science to design infrastructure such that you do *not*
expose business critical infrastructure to the Internet.

Any design which requires you to put a database server directly on the
Internet is so flawed it warrants zero further consideration.

Any business which would sign off on such, deserves to go tits up.


greg


Thanks for the pointless response based on your complete lack of
knowledge of my circumstances


Your inability to provide supporting evidence in the original post is not
the fault of the audience.

Your servers *haven't* been hardened adequately

Your lack of knowledge w.r.t the capabilities of the software you have to
hand is self evident.

5 minutes googling produces excellent tutorials and mechanisms to lock down
win2k ducks arse tight

http://www.systemexperts.com/win2k/HardenWin2K.html
http://www.securiteam.com/tools/6Y00M1FBPI.html

Therefore my response stands.

A bad workman will always blame his tools.

- for your information:

Unfortunately I inherited this setup when I joined the company 6 months
ago and I have voiced my concerns about it on numerous occasions.


'Voicing your concerns' is not enough in that situation.


We have a stupid number of SQL servers (14) replicating in clusters to
regional master databases and then these replicate to one master
database at HQ. I agree it's absurd but my hands are tied by historic
decisions and also the fact that the people who wrote and support the
front end app are so crap at database design and security that whenever


Nonsense! There is nothing absolutely nothing stopping you using IPSEC to
tunnel replication between sites, it's built in to win2k as *standard* for
chrissakes !

I bring up the subject of a more secure architecture they raise all
sorts of sumb-ass objections as to why it can't be done that the powers
that be in my organisation get cold feet and shy away from doing
anything about it.


That's a cop out. You have the means to fix it *today* without spending a
single penny, why argent *you* doing something to sort it.



greg



--
Yeah - straight from the top of my dome
As I rock, rock, rock, rock, rock the microphone
  #9  
Old December 12th 04, 09:45 AM posted to uk.telecom.broadband
Linker3000
external usenet poster
 
Posts: 108
Default Trojan attacks - useful resources - ideas please

Spin Dryer wrote:
On Sat, 11 Dec 2004 21:46:55 +0000, [Linker3000] said :-

Any business which would sign off on such, deserves to go tits up.


greg


Thanks for the pointless response based on your complete lack of
knowledge of my circumstances - for your information:

Unfortunately I inherited this setup when I joined the company 6 months
ago and I have voiced my concerns about it on numerous occasions.




Well, for 'your information' - not many here have crystal balls - how
on earth could anyone have known that ?

So, Slick, next time you post requiring information - mention
something relevant, ok ? Your pointless initial post implied your own
lack of ability.

I seem to recall my first post requesting info on security resources,
not a critique of my abilities and the system - you may have missed that
bit.

L3K
  #10  
Old December 12th 04, 10:19 AM posted to uk.telecom.broadband
Spin Dryer
external usenet poster
 
Posts: 291
Default Trojan attacks - useful resources - ideas please

On Sun, 12 Dec 2004 09:45:44 +0000, [Linker3000] said :-

Spin Dryer wrote:
On Sat, 11 Dec 2004 21:46:55 +0000, [Linker3000] said :-

Any business which would sign off on such, deserves to go tits up.


greg

Thanks for the pointless response based on your complete lack of
knowledge of my circumstances - for your information:

Unfortunately I inherited this setup when I joined the company 6 months
ago and I have voiced my concerns about it on numerous occasions.




Well, for 'your information' - not many here have crystal balls - how
on earth could anyone have known that ?

So, Slick, next time you post requiring information - mention
something relevant, ok ? Your pointless initial post implied your own
lack of ability.

I seem to recall my first post requesting info on security resources,
not a critique of my abilities and the system - you may have missed that
bit.


Your first paragraph in your first post in this thread fella, was :-


" Several of my Win2K/SQL server systems have been trojaned to various
degrees over the last week or two - mostly ass*oles installing serv-u
FTP server, but a few have had the administrator password changed
(lovely!) - there seems to have been an increase in such activity over
the least 2 weeks or it is just my bad luck? "


Your later paragraphs (and of course the subject title) do ask for
info, but to probably anyone else reading, the "info" is needed
_because_ of the first paragraph.

However, new stuff came to light about you inhereting the system 6
months ago - yet your first paragraph says that the problems stemmed
from the past couple of weeks.

Now what conclusion does that imply ?
 




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Any ideas - SAR 715 Sean Nugent uk.telecom.broadband (UK broadband) 2 August 16th 03 12:24 PM
Any ideas? Goofball uk.telecom.broadband (UK broadband) 3 August 14th 03 09:42 PM
How long? Any ideas Paul Roberts uk.telecom.broadband (UK broadband) 0 August 6th 03 01:30 PM
How to monitor attacks against my IP? zeebop uk.telecom.broadband (UK broadband) 8 July 26th 03 08:11 PM


All times are GMT +1. The time now is 06:40 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.Content Relevant URLs by vBSEO 2.4.0
Copyright 2004-2019 BroadbanterBanter.
The comments are property of their posters.