Solved

Click or Impression Fraud - Akamai - Deploy.AkamaiTechnologies.Net - Help Needed

Posted on 2006-10-30
3
2,761 Views
Last Modified: 2012-06-27
We have a client who's machine (server, windows 2000 SBS) is used in Click or Impression Fraud. We have contacted some sites involved and all suspicions seem to be more than just suspicions.

What I need to know is how to stop the intruders?  ???  ??? ?? ?? ? ??? ?? ?? ??? ?  How to remove the infected files, and which ones?

The intrusions apparently coming from: deploy.akamaitechnologies.net

IEXPLORE.EXE:6400      TCP      sbserver.sbs.local:7918      203-206-163-6.deploy.akamaitechnologies.net:http      ESTABLISHED      
IEXPLORE.EXE:6400      TCP      sbserver.sbs.local:7920      203-206-163-7.deploy.akamaitechnologies.net:http      ESTABLISHED      
IEXPLORE.EXE:6400      TCP      sbserver.sbs.local:7921      203-206-163-7.deploy.akamaitechnologies.net:http      ESTABLISHED

I am not sure if the above is the proof of the intruder's connection, but these are the suspicious connections...

Once they connect, the proxy is flat out, the internet connection goes to a grinding hault and at the same time I find these entries:


W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7405      203-206-163-7.deploy.akamaitechnologies.net:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7428      203-206-163-7.deploy.akamaitechnologies.net:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7557      203-206-163-7.deploy.akamaitechnologies.net:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7406      203-206-163-8.deploy.akamaitechnologies.net:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7407      203-206-163-8.deploy.akamaitechnologies.net:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7558      203-206-163-8.deploy.akamaitechnologies.net:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:8080      211.219.24.24:2933      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:8080      211.219.24.24:3140      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:6931      219.117.211.155:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:6854      219.118.71.36:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:8080      219.82.163.180:2502      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:8080      220.163.26.127:3417      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7134      221.253.232.218:http      ESTABLISHED      
inetinfo.exe:2120      TCP      sbserver.sbs.local:7394      4.79.181.135:smtp      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7035      62.67.235.142:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7127      66.102.15.100:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7228      66.98.134.26:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7559      66.98.180.26:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:6905      69.64.176.165:http      ESTABLISHED      
LogMeIn.exe:1492      TCP      sbserver.sbs.local:6897      72.5.77.149:https      ESTABLISHED      
SERVICES.EXE:336      TCP      sbserver.sbs.local:netbios-ssn      accounts01:1030      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7497      ad.chi.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7563      ad.chi.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7564      ad.chi.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7181      ad.sj.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7266      ad.sj.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7269      ad.sj.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7275      ad.sj.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7277      ad.sj.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7279      ad.sj.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7505      ad.sj.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7515      ad.sj.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7528      ad.sj.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:8080      customer-reverse-entry.69.59.154.148:1675      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:8080      customer-reverse-entry.69.59.154.148:1717      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:8080      customer-reverse-entry.69.59.154.148:1887      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:8080      customer-reverse-entry.69.59.154.148:3669      ESTABLISHED

I have searched through the system drive, run different adware and spyware removal programs, but can't find anything. Since I am monitoring the server, I can see them sometimes connecting and a minute later disappearing but I cant see any suspicious programs running.

So what do these guys install? How do I remove it?

TIA,

Tom      
0
Comment
Question by:tom_szabo
3 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 17849310
Akamai is a caching service mainly, storing things like images, banners, video etc... They have an enourmous amount of bandwidth and just about all the big .com's and more use them to keep load off their own servers. What leads you to believe click fraud is occurring on this client? Have you use Ad-Aware, McAfee, SpyBot, HiJackThis to see if you have an infection or "bot" installed on this client?
If the click fraud is against your own site, report it to the click service ... if they don't know already. If it's your own click service you may think about adopting a 3rd parties...
https://adwords.google.com/support/bin/answer.py?answer=44008
-rich

0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now