how do I work out who/what enabled a service
Windows Server Forum Index Windows Server
Server discussion on Windows platform.
 
 FAQFAQ   MemberlistMemberlist     RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
 
Google
 
Web winserverhelp.com
how do I work out who/what enabled a service

 
Post new topic   Reply to topic    Windows Server Forum Index -> Security
Author Message
Bruce Baker
Guest
Posted: Mon Oct 03, 2005 12:50 pm    Post subject: how do I work out who/what enabled a service Reply with quote
Hi

Got a client which has had a virus which installed serv-u ftp service.

Symantec and TrendMicro both give the machine a clean bill of health.

We disabled the above service but last night it got reenabled (got the GFI
network monitor on this server)

How do I work out which process would have done it ?

MBSA tells us we have all patches installed and no obvious risks. Somethings
up. Any ideas ?

All workstations inside the network also scan ok etc.

Thanks
Back to top
Roger Abell [MVP]
Guest
Posted: Tue Oct 04, 2005 8:51 am    Post subject: Re: how do I work out who/what enabled a service Reply with quote
Once a machine has been compromised in that way, you need to
understand that any scanning tool can only tell you that it found
this or that, and cannot tell you that there is nothing to be found
(only that it failed to find it if it is there).
The only valid recommendation for your case is to rebuild the
machine starting with a format.

"Bruce Baker" <bruceb@newsgroups.nospam> wrote in message
news:%23ba2sfByFHA.3180@TK2MSFTNGP14.phx.gbl...
Quote:
Hi

Got a client which has had a virus which installed serv-u ftp service.

Symantec and TrendMicro both give the machine a clean bill of health.

We disabled the above service but last night it got reenabled (got the GFI
network monitor on this server)

How do I work out which process would have done it ?

MBSA tells us we have all patches installed and no obvious risks.
Somethings up. Any ideas ?

All workstations inside the network also scan ok etc.

Thanks
Back to top
Steven L Umbach
Guest
Posted: Wed Oct 05, 2005 12:50 am    Post subject: Re: how do I work out who/what enabled a service Reply with quote
I agree with Roger and keep in mind that malware detection programs are not
meant to check a computer for being hacked which is different than a virus.
A hacked computer could be owned by someone else and there can be scripts,
registry entries, etc that may be causing the service to be enabled again.
If you have auditing of system events enabled then you may find some clues
in the logs using Event Viewer. MBSA is very helpful but does a basic
security check and is not meant to insure computer security. Enforcing
strong passwords on your network and not making workstation users local
administrators can also go a long ways to preventing compromises of the
operating system. The link below is Microsoft security guidance for small
businesses which may be of help and the second link is to the Threats and
Countermeasures Guide. --- Steve

http://www.microsoft.com/smallbusiness/support/checklist/default.mspx
http://www.microsoft.com/technet/security/topics/serversecurity/tcg/tcgch00.mspx

"Bruce Baker" <bruceb@newsgroups.nospam> wrote in message
news:%23ba2sfByFHA.3180@TK2MSFTNGP14.phx.gbl...
Quote:
Hi

Got a client which has had a virus which installed serv-u ftp service.

Symantec and TrendMicro both give the machine a clean bill of health.

We disabled the above service but last night it got reenabled (got the GFI
network monitor on this server)

How do I work out which process would have done it ?

MBSA tells us we have all patches installed and no obvious risks.
Somethings up. Any ideas ?

All workstations inside the network also scan ok etc.

Thanks
Back to top
 
Post new topic   Reply to topic    Windows Server Forum Index -> Security All times are GMT
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum




New Topics Powered by phpBB