Solved

Click or Impression Fraud - Akamai - Deploy.AkamaiTechnologies.Net - Help Needed

Posted on 2006-10-30
3
2,979 Views
Last Modified: 2012-06-27
We have a client who's machine (server, windows 2000 SBS) is used in Click or Impression Fraud. We have contacted some sites involved and all suspicions seem to be more than just suspicions.

What I need to know is how to stop the intruders?  ???  ??? ?? ?? ? ??? ?? ?? ??? ?  How to remove the infected files, and which ones?

The intrusions apparently coming from: deploy.akamaitechnologies.net

IEXPLORE.EXE:6400      TCP      sbserver.sbs.local:7918      203-206-163-6.deploy.akamaitechnologies.net:http      ESTABLISHED      
IEXPLORE.EXE:6400      TCP      sbserver.sbs.local:7920      203-206-163-7.deploy.akamaitechnologies.net:http      ESTABLISHED      
IEXPLORE.EXE:6400      TCP      sbserver.sbs.local:7921      203-206-163-7.deploy.akamaitechnologies.net:http      ESTABLISHED

I am not sure if the above is the proof of the intruder's connection, but these are the suspicious connections...

Once they connect, the proxy is flat out, the internet connection goes to a grinding hault and at the same time I find these entries:


W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7405      203-206-163-7.deploy.akamaitechnologies.net:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7428      203-206-163-7.deploy.akamaitechnologies.net:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7557      203-206-163-7.deploy.akamaitechnologies.net:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7406      203-206-163-8.deploy.akamaitechnologies.net:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7407      203-206-163-8.deploy.akamaitechnologies.net:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7558      203-206-163-8.deploy.akamaitechnologies.net:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:8080      211.219.24.24:2933      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:8080      211.219.24.24:3140      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:6931      219.117.211.155:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:6854      219.118.71.36:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:8080      219.82.163.180:2502      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:8080      220.163.26.127:3417      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7134      221.253.232.218:http      ESTABLISHED      
inetinfo.exe:2120      TCP      sbserver.sbs.local:7394      4.79.181.135:smtp      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7035      62.67.235.142:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7127      66.102.15.100:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7228      66.98.134.26:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7559      66.98.180.26:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:6905      69.64.176.165:http      ESTABLISHED      
LogMeIn.exe:1492      TCP      sbserver.sbs.local:6897      72.5.77.149:https      ESTABLISHED      
SERVICES.EXE:336      TCP      sbserver.sbs.local:netbios-ssn      accounts01:1030      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7497      ad.chi.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7563      ad.chi.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7564      ad.chi.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7181      ad.sj.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7266      ad.sj.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7269      ad.sj.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7275      ad.sj.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7277      ad.sj.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7279      ad.sj.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7505      ad.sj.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7515      ad.sj.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7528      ad.sj.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:8080      customer-reverse-entry.69.59.154.148:1675      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:8080      customer-reverse-entry.69.59.154.148:1717      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:8080      customer-reverse-entry.69.59.154.148:1887      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:8080      customer-reverse-entry.69.59.154.148:3669      ESTABLISHED

I have searched through the system drive, run different adware and spyware removal programs, but can't find anything. Since I am monitoring the server, I can see them sometimes connecting and a minute later disappearing but I cant see any suspicious programs running.

So what do these guys install? How do I remove it?

TIA,

Tom      
0
Comment
Question by:tom_szabo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 17849310
Akamai is a caching service mainly, storing things like images, banners, video etc... They have an enourmous amount of bandwidth and just about all the big .com's and more use them to keep load off their own servers. What leads you to believe click fraud is occurring on this client? Have you use Ad-Aware, McAfee, SpyBot, HiJackThis to see if you have an infection or "bot" installed on this client?
If the click fraud is against your own site, report it to the click service ... if they don't know already. If it's your own click service you may think about adopting a 3rd parties...
https://adwords.google.com/support/bin/answer.py?answer=44008
-rich

0

Featured Post

Guide to Performance: Optimization & Monitoring

Nowadays, monitoring is a mixture of tools, systems, and codes—making it a very complex process. And with this complexity, comes variables for failure. Get DZone’s new Guide to Performance to learn how to proactively find these variables and solve them before a disruption occurs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Do you know what to look for when considering cloud computing? Should you hire someone or try to do it yourself? I'll be covering these questions and looking at the best options for you and your business.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question