Click here to get back home

how do I work out who/what enabled a service
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
how do I work out who/what enabled a service Bruce Baker 10-03-2005
Posted by Bruce Baker on October 3, 2005, 10:48 pm
Please log in for more thread options
 Hi

Got a client which has had a virus which installed serv-u ftp service.

Symantec and TrendMicro both give the machine a clean bill of health.

We disabled the above service but last night it got reenabled (got the GFI
network monitor on this server)

How do I work out which process would have done it ?

MBSA tells us we have all patches installed and no obvious risks. Somethings
up. Any ideas ?

All workstations inside the network also scan ok etc.

Thanks




Posted by Roger Abell [MVP] on October 4, 2005, 12:29 am
Please log in for more thread options
 Once a machine has been compromised in that way, you need to
understand that any scanning tool can only tell you that it found
this or that, and cannot tell you that there is nothing to be found
(only that it failed to find it if it is there).
The only valid recommendation for your case is to rebuild the
machine starting with a format.

> Hi
>
> Got a client which has had a virus which installed serv-u ftp service.
>
> Symantec and TrendMicro both give the machine a clean bill of health.
>
> We disabled the above service but last night it got reenabled (got the GFI
> network monitor on this server)
>
> How do I work out which process would have done it ?
>
> MBSA tells us we have all patches installed and no obvious risks.
> Somethings up. Any ideas ?
>
> All workstations inside the network also scan ok etc.
>
> Thanks
>




Posted by Steven L Umbach on October 4, 2005, 7:24 pm
Please log in for more thread options
I agree with Roger and keep in mind that malware detection programs are not
meant to check a computer for being hacked which is different than a virus.
A hacked computer could be owned by someone else and there can be scripts,
registry entries, etc that may be causing the service to be enabled again.
If you have auditing of system events enabled then you may find some clues
in the logs using Event Viewer. MBSA is very helpful but does a basic
security check and is not meant to insure computer security. Enforcing
strong passwords on your network and not making workstation users local
administrators can also go a long ways to preventing compromises of the
operating system. The link below is Microsoft security guidance for small
businesses which may be of help and the second link is to the Threats and
Countermeasures Guide. --- Steve

http://www.microsoft.com/smallbusiness/support/checklist/default.mspx
http://www.microsoft.com/technet/security/topics/serversecurity/tcg/tcgch00.mspx

> Hi
>
> Got a client which has had a virus which installed serv-u ftp service.
>
> Symantec and TrendMicro both give the machine a clean bill of health.
>
> We disabled the above service but last night it got reenabled (got the GFI
> network monitor on this server)
>
> How do I work out which process would have done it ?
>
> MBSA tells us we have all patches installed and no obvious risks.
> Somethings up. Any ideas ?
>
> All workstations inside the network also scan ok etc.
>
> Thanks
>




Similar ThreadsPosted
Do We Need DCOM Enabled? February 10, 2007, 10:18 pm
User Account Created - 624 And User Account Enabled - 626 for Hel October 13, 2005, 1:56 pm
How Policies Work November 17, 2006, 2:43 pm
FileSystemAuditing doesn't work good October 17, 2006, 8:34 am
revoking ipsec certificate doesn't work September 15, 2005, 4:01 pm
How does runas with /netonly option work? February 8, 2006, 8:12 am
special permissions on folder don't work April 28, 2006, 1:54 am
STOP what you’re doing - It doesn’t work! LT69 July 28, 2006, 7:17 pm
Importing certificates does not work on Vista: February 5, 2008, 2:31 pm
Access Based Enumeration really doesn't work May 13, 2008, 11:13 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap