Solved

Click or Impression Fraud - Akamai - Deploy.AkamaiTechnologies.Net - Help Needed

Posted on 2006-10-30
3
2,940 Views
Last Modified: 2012-06-27
We have a client who's machine (server, windows 2000 SBS) is used in Click or Impression Fraud. We have contacted some sites involved and all suspicions seem to be more than just suspicions.

What I need to know is how to stop the intruders?  ???  ??? ?? ?? ? ??? ?? ?? ??? ?  How to remove the infected files, and which ones?

The intrusions apparently coming from: deploy.akamaitechnologies.net

IEXPLORE.EXE:6400      TCP      sbserver.sbs.local:7918      203-206-163-6.deploy.akamaitechnologies.net:http      ESTABLISHED      
IEXPLORE.EXE:6400      TCP      sbserver.sbs.local:7920      203-206-163-7.deploy.akamaitechnologies.net:http      ESTABLISHED      
IEXPLORE.EXE:6400      TCP      sbserver.sbs.local:7921      203-206-163-7.deploy.akamaitechnologies.net:http      ESTABLISHED

I am not sure if the above is the proof of the intruder's connection, but these are the suspicious connections...

Once they connect, the proxy is flat out, the internet connection goes to a grinding hault and at the same time I find these entries:


W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7405      203-206-163-7.deploy.akamaitechnologies.net:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7428      203-206-163-7.deploy.akamaitechnologies.net:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7557      203-206-163-7.deploy.akamaitechnologies.net:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7406      203-206-163-8.deploy.akamaitechnologies.net:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7407      203-206-163-8.deploy.akamaitechnologies.net:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7558      203-206-163-8.deploy.akamaitechnologies.net:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:8080      211.219.24.24:2933      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:8080      211.219.24.24:3140      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:6931      219.117.211.155:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:6854      219.118.71.36:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:8080      219.82.163.180:2502      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:8080      220.163.26.127:3417      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7134      221.253.232.218:http      ESTABLISHED      
inetinfo.exe:2120      TCP      sbserver.sbs.local:7394      4.79.181.135:smtp      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7035      62.67.235.142:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7127      66.102.15.100:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7228      66.98.134.26:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7559      66.98.180.26:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:6905      69.64.176.165:http      ESTABLISHED      
LogMeIn.exe:1492      TCP      sbserver.sbs.local:6897      72.5.77.149:https      ESTABLISHED      
SERVICES.EXE:336      TCP      sbserver.sbs.local:netbios-ssn      accounts01:1030      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7497      ad.chi.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7563      ad.chi.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7564      ad.chi.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7181      ad.sj.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7266      ad.sj.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7269      ad.sj.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7275      ad.sj.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7277      ad.sj.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7279      ad.sj.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7505      ad.sj.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7515      ad.sj.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7528      ad.sj.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:8080      customer-reverse-entry.69.59.154.148:1675      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:8080      customer-reverse-entry.69.59.154.148:1717      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:8080      customer-reverse-entry.69.59.154.148:1887      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:8080      customer-reverse-entry.69.59.154.148:3669      ESTABLISHED

I have searched through the system drive, run different adware and spyware removal programs, but can't find anything. Since I am monitoring the server, I can see them sometimes connecting and a minute later disappearing but I cant see any suspicious programs running.

So what do these guys install? How do I remove it?

TIA,

Tom      
0
Comment
Question by:tom_szabo
3 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 17849310
Akamai is a caching service mainly, storing things like images, banners, video etc... They have an enourmous amount of bandwidth and just about all the big .com's and more use them to keep load off their own servers. What leads you to believe click fraud is occurring on this client? Have you use Ad-Aware, McAfee, SpyBot, HiJackThis to see if you have an infection or "bot" installed on this client?
If the click fraud is against your own site, report it to the click service ... if they don't know already. If it's your own click service you may think about adopting a 3rd parties...
https://adwords.google.com/support/bin/answer.py?answer=44008
-rich

0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

February 24, 2017 — On February 23, Travis Ormandy, a vulnerability researcher at Google, reported on Twitter (https://twitter.com/taviso/status/834900838837411840) that massive stores of data have been leaked by CloudFlare, a company that provide…
As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question