Hamish, Sorry, I should have provided a better desicription to begin.
> The simple answer is find out how it was put on there, and block off that That's the problem -- it's not so simple. This is a dedicated web server (Win2K/IIS5) that I have co-located in a top-tier data center. The app was installed remotely, and no logins were compromised. I had just finished having my SQL Server harded (about 10 days _before_ Slammer!) and we ran some extensive password cracking software then. I was feeling pretty ok, and then I started getting SpamCop reports. I checked for an open relay a hundred times, but couldn't find anything. After a couple of days I found the copy of Proxy+ and blew it away. I then installed a software firewall, and I'm ok now (except for learning how to configure the firewall :-) ). The real problem is that I don't know how this install was done. I would really like to address this as an independent issue. I must have something configured horribly wrong, but how do I start the detective work? And now, everything seems suspicious. I feel the urge to disable every service! :-) Anyhow, if you have ideas on how an app could get installed remotely, I could start investigating. > Then do a security audit on that machine. I hae subscribed to the SecurityMetrics offering, which I think will definitely help on an ongoing basis. But my situation is not ideal. I'm misconfigured, I'm sure, but hadnling it with a firewall. I want to be correctly configured and have the firewall as an extra measure of safety. I would enjoy hearing your speculation! Thanks! Bill
