Bait Server for Trojan

Discussion in 'Server Security' started by Brock Hensley, May 28, 2009.

  1. Hello,

    I'm looking for any recommendations on how to track down the cause of a
    Trojan infection.

    We have a number of reports of the following infection on various servers.
    The only common link we can find between all the infected servers is that
    they do not have Windows Firewall enabled, which is how I assume they are
    compromising the system in the first place and installing the FTP server
    which is then detectable.

    ================
    Troj/ServU-Gen (Sophos)
    Aliases:
    not-a-virus:Server-FTP.Win32.Serv-U.5000 (Kaspersky Lab)
    not-a-virus:RiskWare.FTP.Serv-U.5000 (Kaspersky Lab)
    Hacktool (Symantec)
    BackDoor.Servu.5000 (Doctor Web)
    Troj/ServU-Gen (Sophos)
    BDS/ServU.ba.1 (H+BEDV)
    Win32:Trojano-356 (ALWIL)
    Trojan.ServU.G (SOFTWIN)
    Trojan.Servu.1 (ClamAV)
    Bck/ServU.BB (Panda)
    Server-FTP.Win32.Serv-U
    ================

    I'm trying to think of the best way to set up a "Bait" server with security
    auditing & no Firewall to sniff the infection process.

    WireShark?

    Once the server is infected, it creates "DependOnService" registry entries
    on a few services which causes File & Printer Sharing to not work as well as
    a few other detectable things.

    Any help would be appreciated!
    -B
     
    Brock Hensley, May 28, 2009
    #1
    1. Advertisements

  2. Brock Hensley

    Dave Guest

    the cause is: you are not secure enough

    the fix is: get more secure!

    leave the analysis to the pros, get your security fixed so you aren't a
    vector for transmitting future infections.
     
    Dave, May 28, 2009
    #2
    1. Advertisements

  3. Brock Hensley

    Milo Guest

    HI Broc.

    First of all you need a sandbox system ( infect possible due to
    vulnerability machine in your test segment )... then you need to monitor
    ports ( all open ) and forward file samples to such area and it should
    simulate the actual attack then and only then you can understand the threat
    vector.

    you can reach me here... for a much detail explanation.
     
    Milo, May 30, 2009
    #3
  4. Brock Hensley

    Cody E Guest

    The best thing you could do other than setting up a sandbox or a honeypot is
    to setup snort and configure its rules. If you dont know how to do this, I
    would most definately do research on it or hire one or more sec consultants
    to do it for you.
     
    Cody E, Jun 10, 2009
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.