Solved

Firedaemon service possibly a virus?

Posted on 2003-10-21
12
1,472 Views
Last Modified: 2010-03-05
I am running an Exchange 5.5 server sp4.  The server has slowed quite a bit recently so I started looking into event logs etc...   I have a process "winsys" that dies & restarts every couple of seconds.  It looks like "firedaemon" is running this service.  Firedaemon is also running drvisys, printer, runbatch, system, & winserv.  I looked that the properties of Firedaemon.exe & it was created a couple of months ago.  I did not alter the file or install it.  The other strange thing is normally firedaemon is installed as a program. (c:\programs\firedaemon)  I found the exe in c:\winnt\java\etc\etc\firedaemon.exe.  Does anyone have any ideas??

Thanks in advance!!!
0
Comment
Question by:8lackd0g
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 4
12 Comments
 
LVL 4

Expert Comment

by:subsoniq
ID: 9593844
http://www.firedaemon.com/

it's a tool to run things as a service, the company I used to work at used it a few times and it seemed pretty useful.
0
 
LVL 8

Expert Comment

by:JasonBigham
ID: 9593845
Nope

http://www.firedaemon.com/

Using MRTG by chance?
0
 

Author Comment

by:8lackd0g
ID: 9594042
I currently use Firedaemon on some machines out on the floor.  I have not installed the program on my Exchange Server.  I am not using the MRTG.  I cannot even get the gui to start for the firedaemon program.  The .exe for firedaemon is located in c:\winnt\java\etc\etc folder.  Normally the firedaemon program is located in c:\programs\firedaemon.  I do not have that directory.  I scanned my system32 folder & it found a backoor.trojan in a folder named "rocket".  I used my laptop with NAV to scan the system32 folder.  The Exchange server is running Trend ScanMail.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 8

Expert Comment

by:JasonBigham
ID: 9594059
If it don't belong, get rid of it.

If you can't uninstall, this will work:
SRVINSTW.EXE

0
 
LVL 4

Accepted Solution

by:
subsoniq earned 100 total points
ID: 9594102
ouch, looks like someone back doored your exchange server.  I would highly suggest building a new exchange server and moving mailboxes/public folders/functions to it and killing this one, but I'm especially paranoid about such things and would never trust that server again.
0
 

Author Comment

by:8lackd0g
ID: 9594274
I was not running a firewall until recently.  I started here a short time ago. Every time that a new virus came out, we got it until I put up the firewall.  I would like to keep this 5.5 beast running until end of life comes this December.  I thought that it might be a virus but I cannot find anything similar to this one.  I just stopped every service that is tied to firedaemon & email is still working properly. How can I find out what these services are used for?  Do you see any that would need to be running?  Normally if it is something that is required to run, NT should have it taken care of it right?  Firedaemon is typically used for 3rd party programs.  My processor on the Exchange seems to be cooling off now finally....
0
 
LVL 4

Expert Comment

by:subsoniq
ID: 9594300
Now your getting into the world of computer forensics and incident response, you should go to the Windows Security section of experts-exchange

http://www.experts-exchange.com/Security/Win_Security/
0
 
LVL 8

Expert Comment

by:JasonBigham
ID: 9594303
"I started here a short time ago"

That means your previous guy could have installed Firedaemon.

 But if this box was wide open for a  long time... who knows. Does it look like it's been turned into a "warez" server (low disc space)... ftp services would have to have been comprimised (if running)
0
 

Author Comment

by:8lackd0g
ID: 9594444
The "last modified" tag on firedaemon.exe was after the previous IT had left.  I had a low disk space problem a while back but that was caused by the backup not flushing the committed logs for a couple of days.  Is there a way to transfer this thread to Win_Security or do I need to start a new one?
0
 
LVL 8

Expert Comment

by:JasonBigham
ID: 9594452
new
0
 

Author Comment

by:8lackd0g
ID: 9594574
How do I end this thread?
0
 
LVL 4

Expert Comment

by:subsoniq
ID: 9594744
assign points.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Find out what you should include to make the best professional email signature for your organization.
If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
This video discusses moving either the default database or any database to a new volume.
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question