Jump to content


Photo

Eggdrop bot in System volume info


  • Please log in to reply
1 reply to this topic

#1 smokes2345

smokes2345

    Member

  • New Member
  • Pip
  • 1 posts

Posted 29 January 2008 - 11:00 AM

I started working with a hosting company about two months ago, and a few weeks ago i found an eggdrop bot running on one of our mailservers. The users and domains have been moved to another server and the infected one taken offline, but the boss wants to know how it got there. I know it was serving out french dvd rips and scanning for SQL servers and performing dictionary attacks on those it found. It has two partitions, the bot itself was in C:\system volume information, while the movies it was serving were on E:\system volume information. As far as i can tell the indexing service was disabled and win2000 doesn't have shadow copy. SP4 installed, running iMail 8.15, no firewall. I'm not really sure where to look first as to how it got in there, any ideas?

#2 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,537 posts

Posted 29 January 2008 - 07:44 PM

I suggest you check here:

http://www.castlecops.com/mirt

Others may be able to give you help here as well...
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"




Member of UNITE
Support SpywareInfo Forum - click the button