Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Firedaemon service possibly a virus?

Posted on 2003-10-21
12
Medium Priority
?
1,474 Views
Last Modified: 2010-03-05
I am running an Exchange 5.5 server sp4.  The server has slowed quite a bit recently so I started looking into event logs etc...   I have a process "winsys" that dies & restarts every couple of seconds.  It looks like "firedaemon" is running this service.  Firedaemon is also running drvisys, printer, runbatch, system, & winserv.  I looked that the properties of Firedaemon.exe & it was created a couple of months ago.  I did not alter the file or install it.  The other strange thing is normally firedaemon is installed as a program. (c:\programs\firedaemon)  I found the exe in c:\winnt\java\etc\etc\firedaemon.exe.  Does anyone have any ideas??

Thanks in advance!!!
0
Comment
Question by:8lackd0g
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 4
12 Comments
 
LVL 4

Expert Comment

by:subsoniq
ID: 9593844
http://www.firedaemon.com/

it's a tool to run things as a service, the company I used to work at used it a few times and it seemed pretty useful.
0
 
LVL 8

Expert Comment

by:JasonBigham
ID: 9593845
Nope

http://www.firedaemon.com/

Using MRTG by chance?
0
 

Author Comment

by:8lackd0g
ID: 9594042
I currently use Firedaemon on some machines out on the floor.  I have not installed the program on my Exchange Server.  I am not using the MRTG.  I cannot even get the gui to start for the firedaemon program.  The .exe for firedaemon is located in c:\winnt\java\etc\etc folder.  Normally the firedaemon program is located in c:\programs\firedaemon.  I do not have that directory.  I scanned my system32 folder & it found a backoor.trojan in a folder named "rocket".  I used my laptop with NAV to scan the system32 folder.  The Exchange server is running Trend ScanMail.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 8

Expert Comment

by:JasonBigham
ID: 9594059
If it don't belong, get rid of it.

If you can't uninstall, this will work:
SRVINSTW.EXE

0
 
LVL 4

Accepted Solution

by:
subsoniq earned 300 total points
ID: 9594102
ouch, looks like someone back doored your exchange server.  I would highly suggest building a new exchange server and moving mailboxes/public folders/functions to it and killing this one, but I'm especially paranoid about such things and would never trust that server again.
0
 

Author Comment

by:8lackd0g
ID: 9594274
I was not running a firewall until recently.  I started here a short time ago. Every time that a new virus came out, we got it until I put up the firewall.  I would like to keep this 5.5 beast running until end of life comes this December.  I thought that it might be a virus but I cannot find anything similar to this one.  I just stopped every service that is tied to firedaemon & email is still working properly. How can I find out what these services are used for?  Do you see any that would need to be running?  Normally if it is something that is required to run, NT should have it taken care of it right?  Firedaemon is typically used for 3rd party programs.  My processor on the Exchange seems to be cooling off now finally....
0
 
LVL 4

Expert Comment

by:subsoniq
ID: 9594300
Now your getting into the world of computer forensics and incident response, you should go to the Windows Security section of experts-exchange

http://www.experts-exchange.com/Security/Win_Security/
0
 
LVL 8

Expert Comment

by:JasonBigham
ID: 9594303
"I started here a short time ago"

That means your previous guy could have installed Firedaemon.

 But if this box was wide open for a  long time... who knows. Does it look like it's been turned into a "warez" server (low disc space)... ftp services would have to have been comprimised (if running)
0
 

Author Comment

by:8lackd0g
ID: 9594444
The "last modified" tag on firedaemon.exe was after the previous IT had left.  I had a low disk space problem a while back but that was caused by the backup not flushing the committed logs for a couple of days.  Is there a way to transfer this thread to Win_Security or do I need to start a new one?
0
 
LVL 8

Expert Comment

by:JasonBigham
ID: 9594452
new
0
 

Author Comment

by:8lackd0g
ID: 9594574
How do I end this thread?
0
 
LVL 4

Expert Comment

by:subsoniq
ID: 9594744
assign points.
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New style of hardware planning for Microsoft Exchange server.
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question