Solved

Click or Impression Fraud - Akamai - Deploy.AkamaiTechnologies.Net - Help Needed

Posted on 2006-10-30
3
2,925 Views
Last Modified: 2012-06-27
We have a client who's machine (server, windows 2000 SBS) is used in Click or Impression Fraud. We have contacted some sites involved and all suspicions seem to be more than just suspicions.

What I need to know is how to stop the intruders?  ???  ??? ?? ?? ? ??? ?? ?? ??? ?  How to remove the infected files, and which ones?

The intrusions apparently coming from: deploy.akamaitechnologies.net

IEXPLORE.EXE:6400      TCP      sbserver.sbs.local:7918      203-206-163-6.deploy.akamaitechnologies.net:http      ESTABLISHED      
IEXPLORE.EXE:6400      TCP      sbserver.sbs.local:7920      203-206-163-7.deploy.akamaitechnologies.net:http      ESTABLISHED      
IEXPLORE.EXE:6400      TCP      sbserver.sbs.local:7921      203-206-163-7.deploy.akamaitechnologies.net:http      ESTABLISHED

I am not sure if the above is the proof of the intruder's connection, but these are the suspicious connections...

Once they connect, the proxy is flat out, the internet connection goes to a grinding hault and at the same time I find these entries:


W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7405      203-206-163-7.deploy.akamaitechnologies.net:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7428      203-206-163-7.deploy.akamaitechnologies.net:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7557      203-206-163-7.deploy.akamaitechnologies.net:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7406      203-206-163-8.deploy.akamaitechnologies.net:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7407      203-206-163-8.deploy.akamaitechnologies.net:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7558      203-206-163-8.deploy.akamaitechnologies.net:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:8080      211.219.24.24:2933      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:8080      211.219.24.24:3140      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:6931      219.117.211.155:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:6854      219.118.71.36:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:8080      219.82.163.180:2502      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:8080      220.163.26.127:3417      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7134      221.253.232.218:http      ESTABLISHED      
inetinfo.exe:2120      TCP      sbserver.sbs.local:7394      4.79.181.135:smtp      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7035      62.67.235.142:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7127      66.102.15.100:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7228      66.98.134.26:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7559      66.98.180.26:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:6905      69.64.176.165:http      ESTABLISHED      
LogMeIn.exe:1492      TCP      sbserver.sbs.local:6897      72.5.77.149:https      ESTABLISHED      
SERVICES.EXE:336      TCP      sbserver.sbs.local:netbios-ssn      accounts01:1030      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7497      ad.chi.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7563      ad.chi.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7564      ad.chi.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7181      ad.sj.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7266      ad.sj.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7269      ad.sj.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7275      ad.sj.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7277      ad.sj.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7279      ad.sj.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7505      ad.sj.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7515      ad.sj.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:7528      ad.sj.yieldmanager.com:http      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:8080      customer-reverse-entry.69.59.154.148:1675      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:8080      customer-reverse-entry.69.59.154.148:1717      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:8080      customer-reverse-entry.69.59.154.148:1887      ESTABLISHED      
W3PROXY.EXE:4220      TCP      sbserver.sbs.local:8080      customer-reverse-entry.69.59.154.148:3669      ESTABLISHED

I have searched through the system drive, run different adware and spyware removal programs, but can't find anything. Since I am monitoring the server, I can see them sometimes connecting and a minute later disappearing but I cant see any suspicious programs running.

So what do these guys install? How do I remove it?

TIA,

Tom      
0
Comment
Question by:tom_szabo
3 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 17849310
Akamai is a caching service mainly, storing things like images, banners, video etc... They have an enourmous amount of bandwidth and just about all the big .com's and more use them to keep load off their own servers. What leads you to believe click fraud is occurring on this client? Have you use Ad-Aware, McAfee, SpyBot, HiJackThis to see if you have an infection or "bot" installed on this client?
If the click fraud is against your own site, report it to the click service ... if they don't know already. If it's your own click service you may think about adopting a 3rd parties...
https://adwords.google.com/support/bin/answer.py?answer=44008
-rich

0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Enterprise Password Manager Suites as well as Local Password managers are covered in this article.
Each year, investment in cloud platforms grows more than 20% (https://www.immun.io/hubfs/Immunio_2016/Content/Marketing/Cloud-Security-Report-2016.pdf?submissionGuid=a8d80a00-6fee-4b85-81db-a4e28f681762) as an increasing number of companies begin to…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question