I just found the same same thing on one of my clients. again executing ftp. All admin tools had been copied to the etc\winmgmt\temp directory with firedeamon making them services. Couldn't figure out how they got in. Craig A. Mills Computer Aided Management, Inc. 371 Oak Pl., Ste. H Brea, Ca. 92821 (714) 257-0108
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jim McGowan Sent: Tuesday, January 21, 2003 6:44 AM To: NT 2000 Discussions Subject: RE: FireDaemon - Strange Service found running on server Keep your eyes open for a relauncher. We had a similuar thing happen and it kept returning. We found an app running called spooler.exe that was a relauncher of the trojans. Spooler.exe would wait until it thinks your not watching and then it would reinstall the dlls and trojans on the system. Jim -----Original Message----- From: B�rre Nilsen [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 21, 2003 4:41 AM To: NT 2000 Discussions Subject: RE: FireDaemon - Strange Service found running on server When I found that service on our server, the next thing I found was a bunch of DVD-films loaded on the disk by someone from somewhere not known to us. I would be very suspicious if I were you. The box may be compromised. B�rre -----Opprinnelig melding----- Fra: Morris, Leslie C [mailto:[EMAIL PROTECTED]] Sendt: 7. januar 2003 15:20 Til: NT 2000 Discussions Emne: RE: FireDaemon - Strange Service found running on server Go to http://www.firedaemon.com/. Regards, Les Morris TSS Platform Engineer Shift 4 Intel Online Services -----Original Message----- From: Brian Dugas [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 07, 2003 6:12 AM To: NT 2000 Discussions Subject: FireDaemon - Strange Service found running on server Has anyone ever found a service running on their server called "FireDaemon" Or a dll named yep.dll. We found a service yesterday that was installed on one of our servers called FireDaemon. We also found a fake dll called yep.dll, which was just a text file, not a real dll. Anyone ever see this or hear of this? Brian ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to %%email.unsub%% ########################################### This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange. For more information, connect to http://www.F-Secure.com/ ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [email protected] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED]
