Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Click or Impression Fraud - Akamai - Deploy.AkamaiTechnologies.Net - Help Needed

Posted on 2006-10-30
3
Medium Priority
?
3,067 Views
Last Modified: 2012-06-27
We have a client who's machine (server, windows 2000 SBS) is used in Click or Impression Fraud. We have contacted some sites involved and all suspicions seem to be more than just suspicions.

What I need to know is how to stop the intruders?  ???  ??? ?? ?? ? ??? ?? ?? ??? ?  How to remove the infected files, and which ones?

The intrusions apparently coming from: deploy.akamaitechnologies.net

IEXPLORE.EXE:6400      TCP      sbserver.sbs.local:7918      203-206-163-6.deploy.akamaitechnologies.net:http      ESTABLISHED      
IEXPLORE.EXE:6400      TCP      sbserver.sbs.local:7920      203-206-163-7.deploy.akamaitechnologies.net:http      ESTABLISHED      
IEXPLORE.EXE:6400      TCP      sbserver.sbs.local:7921      203-206-163-7.deploy.akamaitechnologies.net:http      ESTABLISHED

I am not sure if the above is the proof of the intruder's connection, but these are the suspicious connections...

Once they connect, the proxy is flat out, the internet connection goes to a grinding hault and at the same time I find these entries:


W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7405      203-206-163-7.deploy.akamaitechnologies.net:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7428      203-206-163-7.deploy.akamaitechnologies.net:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7557      203-206-163-7.deploy.akamaitechnologies.net:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7406      203-206-163-8.deploy.akamaitechnologies.net:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7407      203-206-163-8.deploy.akamaitechnologies.net:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7558      203-206-163-8.deploy.akamaitechnologies.net:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:8080      211.219.24.24:2933      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:8080      211.219.24.24:3140      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:6931      219.117.211.155:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:6854      219.118.71.36:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:8080      219.82.163.180:2502      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:8080      220.163.26.127:3417      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7134      221.253.232.218:http      ESTABLISHED      
inetinfo.exe:2120      TCP      sbserver.sbs.local:7394      4.79.181.135:smtp      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7035      62.67.235.142:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7127      66.102.15.100:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7228      66.98.134.26:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7559      66.98.180.26:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:6905      69.64.176.165:http      ESTABLISHED      
LogMeIn.exe:1492      TCP      sbserver.sbs.local:6897      72.5.77.149:https      ESTABLISHED      
SERVICES.EXE:336      TCP      sbserver.sbs.local:netbios-ssn      accounts01:1030      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7497      ad.chi.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7563      ad.chi.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7564      ad.chi.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7181      ad.sj.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7266      ad.sj.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7269      ad.sj.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7275      ad.sj.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7277      ad.sj.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7279      ad.sj.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7505      ad.sj.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7515      ad.sj.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7528      ad.sj.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:8080      customer-reverse-entry.69.59.154.148:1675      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:8080      customer-reverse-entry.69.59.154.148:1717      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:8080      customer-reverse-entry.69.59.154.148:1887      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:8080      customer-reverse-entry.69.59.154.148:3669      ESTABLISHED

I have searched through the system drive, run different adware and spyware removal programs, but can't find anything. Since I am monitoring the server, I can see them sometimes connecting and a minute later disappearing but I cant see any suspicious programs running.

So what do these guys install? How do I remove it?

TIA,

Tom      
0
Comment
Question by:tom_szabo
3 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 2000 total points
ID: 17849310
Akamai is a caching service mainly, storing things like images, banners, video etc... They have an enourmous amount of bandwidth and just about all the big .com's and more use them to keep load off their own servers. What leads you to believe click fraud is occurring on this client? Have you use Ad-Aware, McAfee, SpyBot, HiJackThis to see if you have an infection or "bot" installed on this client?
If the click fraud is against your own site, report it to the click service ... if they don't know already. If it's your own click service you may think about adopting a 3rd parties...
https://adwords.google.com/support/bin/answer.py?answer=44008
-rich

0

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
Let's take a look into the basics of ransomware—how it spreads, how it can hurt us, and why a disaster recovery plan is important.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question