Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Firedaemon service possibly a virus?

Posted on 2003-10-21
12
Medium Priority
?
1,479 Views
Last Modified: 2010-03-05
I am running an Exchange 5.5 server sp4.  The server has slowed quite a bit recently so I started looking into event logs etc...   I have a process "winsys" that dies & restarts every couple of seconds.  It looks like "firedaemon" is running this service.  Firedaemon is also running drvisys, printer, runbatch, system, & winserv.  I looked that the properties of Firedaemon.exe & it was created a couple of months ago.  I did not alter the file or install it.  The other strange thing is normally firedaemon is installed as a program. (c:\programs\firedaemon)  I found the exe in c:\winnt\java\etc\etc\firedaemon.exe.  Does anyone have any ideas??

Thanks in advance!!!
0
Comment
Question by:8lackd0g
  • 4
  • 4
  • 4
12 Comments
 
LVL 4

Expert Comment

by:subsoniq
ID: 9593844
http://www.firedaemon.com/

it's a tool to run things as a service, the company I used to work at used it a few times and it seemed pretty useful.
0
 
LVL 8

Expert Comment

by:JasonBigham
ID: 9593845
Nope

http://www.firedaemon.com/

Using MRTG by chance?
0
 

Author Comment

by:8lackd0g
ID: 9594042
I currently use Firedaemon on some machines out on the floor.  I have not installed the program on my Exchange Server.  I am not using the MRTG.  I cannot even get the gui to start for the firedaemon program.  The .exe for firedaemon is located in c:\winnt\java\etc\etc folder.  Normally the firedaemon program is located in c:\programs\firedaemon.  I do not have that directory.  I scanned my system32 folder & it found a backoor.trojan in a folder named "rocket".  I used my laptop with NAV to scan the system32 folder.  The Exchange server is running Trend ScanMail.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 8

Expert Comment

by:JasonBigham
ID: 9594059
If it don't belong, get rid of it.

If you can't uninstall, this will work:
SRVINSTW.EXE

0
 
LVL 4

Accepted Solution

by:
subsoniq earned 300 total points
ID: 9594102
ouch, looks like someone back doored your exchange server.  I would highly suggest building a new exchange server and moving mailboxes/public folders/functions to it and killing this one, but I'm especially paranoid about such things and would never trust that server again.
0
 

Author Comment

by:8lackd0g
ID: 9594274
I was not running a firewall until recently.  I started here a short time ago. Every time that a new virus came out, we got it until I put up the firewall.  I would like to keep this 5.5 beast running until end of life comes this December.  I thought that it might be a virus but I cannot find anything similar to this one.  I just stopped every service that is tied to firedaemon & email is still working properly. How can I find out what these services are used for?  Do you see any that would need to be running?  Normally if it is something that is required to run, NT should have it taken care of it right?  Firedaemon is typically used for 3rd party programs.  My processor on the Exchange seems to be cooling off now finally....
0
 
LVL 4

Expert Comment

by:subsoniq
ID: 9594300
Now your getting into the world of computer forensics and incident response, you should go to the Windows Security section of experts-exchange

http://www.experts-exchange.com/Security/Win_Security/
0
 
LVL 8

Expert Comment

by:JasonBigham
ID: 9594303
"I started here a short time ago"

That means your previous guy could have installed Firedaemon.

 But if this box was wide open for a  long time... who knows. Does it look like it's been turned into a "warez" server (low disc space)... ftp services would have to have been comprimised (if running)
0
 

Author Comment

by:8lackd0g
ID: 9594444
The "last modified" tag on firedaemon.exe was after the previous IT had left.  I had a low disk space problem a while back but that was caused by the backup not flushing the committed logs for a couple of days.  Is there a way to transfer this thread to Win_Security or do I need to start a new one?
0
 
LVL 8

Expert Comment

by:JasonBigham
ID: 9594452
new
0
 

Author Comment

by:8lackd0g
ID: 9594574
How do I end this thread?
0
 
LVL 4

Expert Comment

by:subsoniq
ID: 9594744
assign points.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you an Exchange administrator employed with an organization? And, have you encountered a corrupt Exchange database due to which you are not able to open its EDB file. This article will explain all the steps to repair corrupt Exchange database.
Steps to fix “Unable to mount database. (hr=0x80004005, ec=1108)”.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Suggested Courses

927 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question