tom_szabo
asked on
Click or Impression Fraud - Akamai - Deploy.AkamaiTechnologies.Net - Help Needed
We have a client who's machine (server, windows 2000 SBS) is used in Click or Impression Fraud. We have contacted some sites involved and all suspicions seem to be more than just suspicions.
What I need to know is how to stop the intruders? ??? ??? ?? ?? ? ??? ?? ?? ??? ? How to remove the infected files, and which ones?
The intrusions apparently coming from: deploy.akamaitechnologies. net
IEXPLORE.EXE:6400 TCP sbserver.sbs.local:7918 203-206-163-6.deploy.akama itechnolog ies.net:ht tp ESTABLISHED
IEXPLORE.EXE:6400 TCP sbserver.sbs.local:7920 203-206-163-7.deploy.akama itechnolog ies.net:ht tp ESTABLISHED
IEXPLORE.EXE:6400 TCP sbserver.sbs.local:7921 203-206-163-7.deploy.akama itechnolog ies.net:ht tp ESTABLISHED
I am not sure if the above is the proof of the intruder's connection, but these are the suspicious connections...
Once they connect, the proxy is flat out, the internet connection goes to a grinding hault and at the same time I find these entries:
W3PROXY.EXE:4220 TCP sbserver.sbs.local:7405 203-206-163-7.deploy.akama itechnolog ies.net:ht tp ESTABLISHED
W3PROXY.EXE:4220 TCP sbserver.sbs.local:7428 203-206-163-7.deploy.akama itechnolog ies.net:ht tp ESTABLISHED
W3PROXY.EXE:4220 TCP sbserver.sbs.local:7557 203-206-163-7.deploy.akama itechnolog ies.net:ht tp ESTABLISHED
W3PROXY.EXE:4220 TCP sbserver.sbs.local:7406 203-206-163-8.deploy.akama itechnolog ies.net:ht tp ESTABLISHED
W3PROXY.EXE:4220 TCP sbserver.sbs.local:7407 203-206-163-8.deploy.akama itechnolog ies.net:ht tp ESTABLISHED
W3PROXY.EXE:4220 TCP sbserver.sbs.local:7558 203-206-163-8.deploy.akama itechnolog ies.net:ht tp ESTABLISHED
W3PROXY.EXE:4220 TCP sbserver.sbs.local:8080 211.219.24.24:2933 ESTABLISHED
W3PROXY.EXE:4220 TCP sbserver.sbs.local:8080 211.219.24.24:3140 ESTABLISHED
W3PROXY.EXE:4220 TCP sbserver.sbs.local:6931 219.117.211.155:http ESTABLISHED
W3PROXY.EXE:4220 TCP sbserver.sbs.local:6854 219.118.71.36:http ESTABLISHED
W3PROXY.EXE:4220 TCP sbserver.sbs.local:8080 219.82.163.180:2502 ESTABLISHED
W3PROXY.EXE:4220 TCP sbserver.sbs.local:8080 220.163.26.127:3417 ESTABLISHED
W3PROXY.EXE:4220 TCP sbserver.sbs.local:7134 221.253.232.218:http ESTABLISHED
inetinfo.exe:2120 TCP sbserver.sbs.local:7394 4.79.181.135:smtp ESTABLISHED
W3PROXY.EXE:4220 TCP sbserver.sbs.local:7035 62.67.235.142:http ESTABLISHED
W3PROXY.EXE:4220 TCP sbserver.sbs.local:7127 66.102.15.100:http ESTABLISHED
W3PROXY.EXE:4220 TCP sbserver.sbs.local:7228 66.98.134.26:http ESTABLISHED
W3PROXY.EXE:4220 TCP sbserver.sbs.local:7559 66.98.180.26:http ESTABLISHED
W3PROXY.EXE:4220 TCP sbserver.sbs.local:6905 69.64.176.165:http ESTABLISHED
LogMeIn.exe:1492 TCP sbserver.sbs.local:6897 72.5.77.149:https ESTABLISHED
SERVICES.EXE:336 TCP sbserver.sbs.local:netbios -ssn accounts01:1030 ESTABLISHED
W3PROXY.EXE:4220 TCP sbserver.sbs.local:7497 ad.chi.yieldmanager.com:ht tp ESTABLISHED
W3PROXY.EXE:4220 TCP sbserver.sbs.local:7563 ad.chi.yieldmanager.com:ht tp ESTABLISHED
W3PROXY.EXE:4220 TCP sbserver.sbs.local:7564 ad.chi.yieldmanager.com:ht tp ESTABLISHED
W3PROXY.EXE:4220 TCP sbserver.sbs.local:7181 ad.sj.yieldmanager.com:htt p ESTABLISHED
W3PROXY.EXE:4220 TCP sbserver.sbs.local:7266 ad.sj.yieldmanager.com:htt p ESTABLISHED
W3PROXY.EXE:4220 TCP sbserver.sbs.local:7269 ad.sj.yieldmanager.com:htt p ESTABLISHED
W3PROXY.EXE:4220 TCP sbserver.sbs.local:7275 ad.sj.yieldmanager.com:htt p ESTABLISHED
W3PROXY.EXE:4220 TCP sbserver.sbs.local:7277 ad.sj.yieldmanager.com:htt p ESTABLISHED
W3PROXY.EXE:4220 TCP sbserver.sbs.local:7279 ad.sj.yieldmanager.com:htt p ESTABLISHED
W3PROXY.EXE:4220 TCP sbserver.sbs.local:7505 ad.sj.yieldmanager.com:htt p ESTABLISHED
W3PROXY.EXE:4220 TCP sbserver.sbs.local:7515 ad.sj.yieldmanager.com:htt p ESTABLISHED
W3PROXY.EXE:4220 TCP sbserver.sbs.local:7528 ad.sj.yieldmanager.com:htt p ESTABLISHED
W3PROXY.EXE:4220 TCP sbserver.sbs.local:8080 customer-reverse-entry.69. 59.154.148 :1675 ESTABLISHED
W3PROXY.EXE:4220 TCP sbserver.sbs.local:8080 customer-reverse-entry.69. 59.154.148 :1717 ESTABLISHED
W3PROXY.EXE:4220 TCP sbserver.sbs.local:8080 customer-reverse-entry.69. 59.154.148 :1887 ESTABLISHED
W3PROXY.EXE:4220 TCP sbserver.sbs.local:8080 customer-reverse-entry.69. 59.154.148 :3669 ESTABLISHED
I have searched through the system drive, run different adware and spyware removal programs, but can't find anything. Since I am monitoring the server, I can see them sometimes connecting and a minute later disappearing but I cant see any suspicious programs running.
So what do these guys install? How do I remove it?
TIA,
Tom
What I need to know is how to stop the intruders? ??? ??? ?? ?? ? ??? ?? ?? ??? ? How to remove the infected files, and which ones?
The intrusions apparently coming from: deploy.akamaitechnologies.
IEXPLORE.EXE:6400 TCP sbserver.sbs.local:7918 203-206-163-6.deploy.akama
IEXPLORE.EXE:6400 TCP sbserver.sbs.local:7920 203-206-163-7.deploy.akama
IEXPLORE.EXE:6400 TCP sbserver.sbs.local:7921 203-206-163-7.deploy.akama
I am not sure if the above is the proof of the intruder's connection, but these are the suspicious connections...
Once they connect, the proxy is flat out, the internet connection goes to a grinding hault and at the same time I find these entries:
W3PROXY.EXE:4220 TCP sbserver.sbs.local:7405 203-206-163-7.deploy.akama
W3PROXY.EXE:4220 TCP sbserver.sbs.local:7428 203-206-163-7.deploy.akama
W3PROXY.EXE:4220 TCP sbserver.sbs.local:7557 203-206-163-7.deploy.akama
W3PROXY.EXE:4220 TCP sbserver.sbs.local:7406 203-206-163-8.deploy.akama
W3PROXY.EXE:4220 TCP sbserver.sbs.local:7407 203-206-163-8.deploy.akama
W3PROXY.EXE:4220 TCP sbserver.sbs.local:7558 203-206-163-8.deploy.akama
W3PROXY.EXE:4220 TCP sbserver.sbs.local:8080 211.219.24.24:2933 ESTABLISHED
W3PROXY.EXE:4220 TCP sbserver.sbs.local:8080 211.219.24.24:3140 ESTABLISHED
W3PROXY.EXE:4220 TCP sbserver.sbs.local:6931 219.117.211.155:http ESTABLISHED
W3PROXY.EXE:4220 TCP sbserver.sbs.local:6854 219.118.71.36:http ESTABLISHED
W3PROXY.EXE:4220 TCP sbserver.sbs.local:8080 219.82.163.180:2502 ESTABLISHED
W3PROXY.EXE:4220 TCP sbserver.sbs.local:8080 220.163.26.127:3417 ESTABLISHED
W3PROXY.EXE:4220 TCP sbserver.sbs.local:7134 221.253.232.218:http ESTABLISHED
inetinfo.exe:2120 TCP sbserver.sbs.local:7394 4.79.181.135:smtp ESTABLISHED
W3PROXY.EXE:4220 TCP sbserver.sbs.local:7035 62.67.235.142:http ESTABLISHED
W3PROXY.EXE:4220 TCP sbserver.sbs.local:7127 66.102.15.100:http ESTABLISHED
W3PROXY.EXE:4220 TCP sbserver.sbs.local:7228 66.98.134.26:http ESTABLISHED
W3PROXY.EXE:4220 TCP sbserver.sbs.local:7559 66.98.180.26:http ESTABLISHED
W3PROXY.EXE:4220 TCP sbserver.sbs.local:6905 69.64.176.165:http ESTABLISHED
LogMeIn.exe:1492 TCP sbserver.sbs.local:6897 72.5.77.149:https ESTABLISHED
SERVICES.EXE:336 TCP sbserver.sbs.local:netbios
W3PROXY.EXE:4220 TCP sbserver.sbs.local:7497 ad.chi.yieldmanager.com:ht
W3PROXY.EXE:4220 TCP sbserver.sbs.local:7563 ad.chi.yieldmanager.com:ht
W3PROXY.EXE:4220 TCP sbserver.sbs.local:7564 ad.chi.yieldmanager.com:ht
W3PROXY.EXE:4220 TCP sbserver.sbs.local:7181 ad.sj.yieldmanager.com:htt
W3PROXY.EXE:4220 TCP sbserver.sbs.local:7266 ad.sj.yieldmanager.com:htt
W3PROXY.EXE:4220 TCP sbserver.sbs.local:7269 ad.sj.yieldmanager.com:htt
W3PROXY.EXE:4220 TCP sbserver.sbs.local:7275 ad.sj.yieldmanager.com:htt
W3PROXY.EXE:4220 TCP sbserver.sbs.local:7277 ad.sj.yieldmanager.com:htt
W3PROXY.EXE:4220 TCP sbserver.sbs.local:7279 ad.sj.yieldmanager.com:htt
W3PROXY.EXE:4220 TCP sbserver.sbs.local:7505 ad.sj.yieldmanager.com:htt
W3PROXY.EXE:4220 TCP sbserver.sbs.local:7515 ad.sj.yieldmanager.com:htt
W3PROXY.EXE:4220 TCP sbserver.sbs.local:7528 ad.sj.yieldmanager.com:htt
W3PROXY.EXE:4220 TCP sbserver.sbs.local:8080 customer-reverse-entry.69.
W3PROXY.EXE:4220 TCP sbserver.sbs.local:8080 customer-reverse-entry.69.
W3PROXY.EXE:4220 TCP sbserver.sbs.local:8080 customer-reverse-entry.69.
W3PROXY.EXE:4220 TCP sbserver.sbs.local:8080 customer-reverse-entry.69.
I have searched through the system drive, run different adware and spyware removal programs, but can't find anything. Since I am monitoring the server, I can see them sometimes connecting and a minute later disappearing but I cant see any suspicious programs running.
So what do these guys install? How do I remove it?
TIA,
Tom
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.