|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
how do i block port 220I have a dell box running server 2003 sp1, and my network folks tell me that
it has been compromised by a Trojan. They see outbound traffic over port 220. their solution is to take the machine down and reformat the drive. There has got to be another way. how do I block this port? Outbound firewall? Any suggestions would be appreciated. Thanks. Best would be to rid the box of the Trojan -- who know what else it is doing
besides sending traffic out 220! If your AV did not find it then try ClamWin (http://clamwin.com) and/or Microsoft's new AntiSpyWare Beta (http://www.microsoft.com/) Show quoteHide quote "id3ego2" <id3e***@discussions.microsoft.com> wrote in message news:C8060435-609A-447D-B9DA-D65F9C343702@microsoft.com... > I have a dell box running server 2003 sp1, and my network folks tell me that > it has been compromised by a Trojan. They see outbound traffic over port > 220. their solution is to take the machine down and reformat the drive. > There has got to be another way. how do I block this port? Outbound > firewall? Any suggestions would be appreciated. Thanks. On Mon, 9 May 2005 08:48:02 -0700, "id3ego2"
<id3e***@discussions.microsoft.com> wrote: >I have a dell box running server 2003 sp1, and my network folks tell me that First, the answer to your question: To block a port, inbound or>it has been compromised by a Trojan. They see outbound traffic over port >220. their solution is to take the machine down and reformat the drive. >There has got to be another way. how do I block this port? Outbound >firewall? Any suggestions would be appreciated. Thanks. outbound, simply don't open it in your firewall. You don't actually open ports that aren't needed do you? As for your network folks, they're right. If there is a trojan, the system is compromised. The prudent, responsible action is to flatten the box and restore only known good data. Jeff "id3ego2" <id3e***@discussions.microsoft.com> wrote in message Reformating is your last option.news:C8060435-609A-447D-B9DA-D65F9C343702@microsoft.com... >I have a dell box running server 2003 sp1, and my network folks tell me >that > it has been compromised by a Trojan. They see outbound traffic over port > 220. their solution is to take the machine down and reformat the drive. > There has got to be another way. how do I block this port? Outbound > firewall? Any suggestions would be appreciated. Thanks. Remove the trojan with tools listed in post above and if you want to block outbound traffic via 220 use IPsec policy. Dra Reformatting may, or may not be the last option. It really depends on how
critical this server is, and how important the data/apps that are on it are. Removing the trojan might still leave 20 other backdoors into the system that the attacker can use to re-establish themselves once the cleanup has been done. Reformatting returns the system to a known-good configuration. That might be necessary if OP can't risk having the possibility of other trojans/backdoors/rootkits/etc on the box. Cheers Ken Show quoteHide quote "Drasko Ivanisevic" <drasko.ivanise***@online.zg.t-com.hr (remove online.)> wrote in message news:ecg2jqiVFHA.2796@TK2MSFTNGP09.phx.gbl... : "id3ego2" <id3e***@discussions.microsoft.com> wrote in message : news:C8060435-609A-447D-B9DA-D65F9C343702@microsoft.com... : >I have a dell box running server 2003 sp1, and my network folks tell me : >that : > it has been compromised by a Trojan. They see outbound traffic over port : > 220. their solution is to take the machine down and reformat the drive. : > There has got to be another way. how do I block this port? Outbound : > firewall? Any suggestions would be appreciated. Thanks. : : Reformating is your last option. : Remove the trojan with tools listed in post above and if you want to block : outbound traffic via 220 use IPsec policy. : : Dra : : "Ken Schaefer" <kenREM***@THISadOpenStatic.com> wrote in message I agree!news:uBTcI4iVFHA.2684@TK2MSFTNGP09.phx.gbl... > Reformatting may, or may not be the last option. It really depends on how > critical this server is, and how important the data/apps that are on it > are. > Removing the trojan might still leave 20 other backdoors into the system > that the attacker can use to re-establish themselves once the cleanup has > been done. Reformatting returns the system to a known-good configuration. > That might be necessary if OP can't risk having the possibility of other > trojans/backdoors/rootkits/etc on the box. > > Cheers > Ken Dra On Wed, 11 May 2005 15:09:08 +0200, "Drasko Ivanisevic"
<drasko.ivanise***@online.zg.t-com.hr (remove online.)> wrote: >"id3ego2" <id3e***@discussions.microsoft.com> wrote in message What about the other trojans and backdoors? You say there aren't any?>news:C8060435-609A-447D-B9DA-D65F9C343702@microsoft.com... >>I have a dell box running server 2003 sp1, and my network folks tell me >>that >> it has been compromised by a Trojan. They see outbound traffic over port >> 220. their solution is to take the machine down and reformat the drive. >> There has got to be another way. how do I block this port? Outbound >> firewall? Any suggestions would be appreciated. Thanks. > >Reformating is your last option. >Remove the trojan with tools listed in post above and if you want to block >outbound traffic via 220 use IPsec policy. How do you know? You didn't know about this one until someone told you.. The point being, what you don't know, will hurt you. Jeff 
Other interesting topics
Please help, directory level protection needed.
ASP.NET, IIS 6 Integrated Win Authentication, Domain usage Client Permissions required for Integrated Authentication? Unable to set up client certificate, error 403.7 Multiple SSL identities on the same E3K front end server HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials. Digest authentication "the function requested is not supported" on IIS6 with Win2K client Why rename the IUSR account? Guestbook in Frontpage Selfssl.exe for multiple vhosts |
|||||||||||||||||||||||
