General discussion

Locked

Porxy security

By kashmeir63 ·
Hi,
I have a winnt4.0 server running proxy 2.0.
Lately it looks like someone is trying to hack into the system. On a couple of ocassions I noticed that a cmd.exe was running as a process and taking alot of cpu time, so I would kill it.
I alsonoticed on a couple of ocassions that the following services were running that should not have been: dnuts26,dwrcs,firedemon and navmon. I would manually have to kill them. Also from the registry. Also noticed in the win. dir. in the following path winnt\system32\config\help\tmp\files ____it had some of the following files in the tmp folder : firedaemon, stro.exe, navmon.exe etc...
Is there a way to stop this from happening?
Security is fairly new to me.
Any help would be appreciated.

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Porxy security

by curlergirl In reply to Porxy security

It sounds like someone has deposited a Trojan in your system and is running a hack on you. Do you have antivirus software on the proxy server, and is it up-to-date and running real-time? This is the first thing you need to do if it's not already done - get a good, reliable antivirus software package, install it, update the virus defs, and run a scan to see if there is a virus/Trojan horse/worm running on your system. If you find one, your virus software company (we use Symantec but there areplenty of others) should be able to point you to a way of removing it.

BTW, this should be a standard for ALL workstations and servers on your network - they all need antivirus software and the virus defs should be updated AT LEAST once a week ifnot every day.

Other things you need to do IMMEDIATELY if they have not been done:

1. Enable packet filtering on your proxy server.
2. Make sure your server is up-to-date with the latest security patches - go to the MS web site and downloada program called "hfnetchk.exe". It's free - it will check your server and tell you what security patches need to be installed to properly secure the server.

Hope this helps!

Collapse -

Porxy security

by kashmeir63 In reply to Porxy security

The question was auto-closed by TechRepublic

Collapse -

Porxy security

by Joseph Moore In reply to Porxy security

First off, "someone is trying to hack into the system" is an incorrect statement.
Someone HAS hacked into your system. They have already succeeded.

DWRCS is the Dameware NT Utilities remote control service. Firedaemon is a Service-running program (turn any EXE or BAT file into a Service). The other services I do not recognize.

In seeing Dameware loaded on your system, I bet that what "could" have happened is that your proxy server either a) is NOT protected by a firewall or b) if it does have a firewall it is NOT blocking TCP port 139. Dameware's remote control application is client-target based, like all the other remote control apps. The target machine needs to run DRWCS in order for the client to connect to it. Now, Dameware isinteresting in that it will connect over TCP port 139 (the Windows file sharing port), and, providing the client has a valid username/password on the target system, it will INSTALL its target component as a Windows Service. I use this at work, and it is a great tool to have, but unfortunately, it can be misused, as you have experienced.
So, someone found out that your proxy server is on the Internet and not properly protected. After that, they connected with Dameware, pushed their installationsetup (all of the files you have found), done the setups and Registry modifications, and now they "own" your server.

Get a firewall NOW!

Also, doing an anti-virus scan will be useful, but it might not pick up an trojan programs. Dameware is NOT considered a trojan by either Symantec nor Mcafee; neither is Firedaemon. The other 2 services you have I am not familiar with, but they might be legitimate apps also, just used with evil intensions!
Sorry for the bad news. Feel free to send me aprivate message if you want more help on this.

Collapse -

Porxy security

by kashmeir63 In reply to Porxy security

The question was auto-closed by TechRepublic

Collapse -

Porxy security

by EnserNG In reply to Porxy security

Kash,
An additional suggestion to some good responses...

Since a platform in your organization has been compromised, be sure to perform a full scan of each and every machine with both AntiVirus and an Antispyware application (such as PestPatrol)AS SOON AS POSSIBLE.

Attempt to determine the date the initial intrusion took place; a rudimentary way would be to check the properties of the suspect files. Hopefully you have complete backups to restore AT LEAST the primary platforms of yourorganization to their pre-compromised state. Then thoroughly scan all recent data before restoring to those newly "restored" machines.

As with many similar problems, if there is one Trojan, you could most definitely expect to find other ?malware? (virii, Trojans, spyware, et cetera) on the same platform or others.

Should any of the procedures be a bit more involved than you feel comfortable performing, do not hesitate to call in others who are more familiar dealing with such situations.
Hope this helps, and best of luck,
Nikk

Collapse -

Porxy security

by kashmeir63 In reply to Porxy security

The question was auto-closed by TechRepublic

Collapse -

Porxy security

by kashmeir63 In reply to Porxy security

This question was auto closed due to inactivity

Back to Security Forum
7 total posts (Page 1 of 1)  

Related Discussions

Related Forums