Solved

Firedaemon service possibly a virus?

Posted on 2003-10-21
12
1,465 Views
Last Modified: 2010-03-05
I am running an Exchange 5.5 server sp4.  The server has slowed quite a bit recently so I started looking into event logs etc...   I have a process "winsys" that dies & restarts every couple of seconds.  It looks like "firedaemon" is running this service.  Firedaemon is also running drvisys, printer, runbatch, system, & winserv.  I looked that the properties of Firedaemon.exe & it was created a couple of months ago.  I did not alter the file or install it.  The other strange thing is normally firedaemon is installed as a program. (c:\programs\firedaemon)  I found the exe in c:\winnt\java\etc\etc\firedaemon.exe.  Does anyone have any ideas??

Thanks in advance!!!
0
Comment
Question by:8lackd0g
  • 4
  • 4
  • 4
12 Comments
 
LVL 4

Expert Comment

by:subsoniq
ID: 9593844
http://www.firedaemon.com/

it's a tool to run things as a service, the company I used to work at used it a few times and it seemed pretty useful.
0
 
LVL 8

Expert Comment

by:JasonBigham
ID: 9593845
Nope

http://www.firedaemon.com/

Using MRTG by chance?
0
 

Author Comment

by:8lackd0g
ID: 9594042
I currently use Firedaemon on some machines out on the floor.  I have not installed the program on my Exchange Server.  I am not using the MRTG.  I cannot even get the gui to start for the firedaemon program.  The .exe for firedaemon is located in c:\winnt\java\etc\etc folder.  Normally the firedaemon program is located in c:\programs\firedaemon.  I do not have that directory.  I scanned my system32 folder & it found a backoor.trojan in a folder named "rocket".  I used my laptop with NAV to scan the system32 folder.  The Exchange server is running Trend ScanMail.
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 
LVL 8

Expert Comment

by:JasonBigham
ID: 9594059
If it don't belong, get rid of it.

If you can't uninstall, this will work:
SRVINSTW.EXE

0
 
LVL 4

Accepted Solution

by:
subsoniq earned 100 total points
ID: 9594102
ouch, looks like someone back doored your exchange server.  I would highly suggest building a new exchange server and moving mailboxes/public folders/functions to it and killing this one, but I'm especially paranoid about such things and would never trust that server again.
0
 

Author Comment

by:8lackd0g
ID: 9594274
I was not running a firewall until recently.  I started here a short time ago. Every time that a new virus came out, we got it until I put up the firewall.  I would like to keep this 5.5 beast running until end of life comes this December.  I thought that it might be a virus but I cannot find anything similar to this one.  I just stopped every service that is tied to firedaemon & email is still working properly. How can I find out what these services are used for?  Do you see any that would need to be running?  Normally if it is something that is required to run, NT should have it taken care of it right?  Firedaemon is typically used for 3rd party programs.  My processor on the Exchange seems to be cooling off now finally....
0
 
LVL 4

Expert Comment

by:subsoniq
ID: 9594300
Now your getting into the world of computer forensics and incident response, you should go to the Windows Security section of experts-exchange

http://www.experts-exchange.com/Security/Win_Security/
0
 
LVL 8

Expert Comment

by:JasonBigham
ID: 9594303
"I started here a short time ago"

That means your previous guy could have installed Firedaemon.

 But if this box was wide open for a  long time... who knows. Does it look like it's been turned into a "warez" server (low disc space)... ftp services would have to have been comprimised (if running)
0
 

Author Comment

by:8lackd0g
ID: 9594444
The "last modified" tag on firedaemon.exe was after the previous IT had left.  I had a low disk space problem a while back but that was caused by the backup not flushing the committed logs for a couple of days.  Is there a way to transfer this thread to Win_Security or do I need to start a new one?
0
 
LVL 8

Expert Comment

by:JasonBigham
ID: 9594452
new
0
 

Author Comment

by:8lackd0g
ID: 9594574
How do I end this thread?
0
 
LVL 4

Expert Comment

by:subsoniq
ID: 9594744
assign points.
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question