?
Solved

Security Scan has detected a Backdoors and trojan horses CVSS Temporal: 6.8 need guidance to mitigate the flaw

Posted on 2011-04-26
4
Medium Priority
?
1,394 Views
Last Modified: 2012-05-11
Hi Experts,

We would appreciate some help on this one.

One of our Windows servers has been flag with the following Category: Backdoors and trojan horses CVSS Temporal: 6.8 (please see more information below)

I was wondering if someone could help me out to narrow this down and provide a solution to fix this flaw. The server is MS Windows 2003 SP2 fully patch.

Any ideas?  

-----------------------------------

QID: 1004 CVSS Base: 7.5 [1]
Category: Backdoors and trojan horses CVSS Temporal: 6.8
CVE ID: -
Vendor Reference: -
Bugtraq ID: -
Service Modified: 06/04/2009
User Modified: -
Edited: No
THREAT:
There are known backdoors that use specific port numbers. At least one of these ports was found open on this host. This may indicate the presence of a backdoor;
however, it's also possible that this port is being used by a legitimate service, such as a Unix or Windows RPC.
IMPACT:
If a backdoor is present on your system, then unauthorized users can log in to your system undetected, execute unauthorized commands, and leave the host
vulnerable to other unauthorized users. Malicious users may also use your host to access other hosts and perform a coordinated Denial of Service attack.
Scan Results page 238
Some well-known backdoors are "BackOrifice", "Netbus" and "Netspy". You should be able to find more information on these backdoors on the CERT
Coordination Center's Web site (www.cert.org) (http://www.cert.org).
SOLUTION:
Call a security specialist and test the host for backdoors. If a backdoor is found, then the host may need to be re-installed.
0
Comment
Question by:llarava
  • 2
4 Comments
 
LVL 11

Expert Comment

by:Kruno Džoić
ID: 35467247
use program called nmap ( or similar program ) and scan computer for open ports,

scan with antivirus program
0
 
LVL 10

Expert Comment

by:pand0ra_usa
ID: 35517253
What AV product are you using? Do you have a specific virus that was identified?
0
 

Author Comment

by:llarava
ID: 35517921
No virus. We are running SEP. We have an application from a third party vendor that has an specific TCP port open. The result of the scan doesn't indicate the port.
0
 
LVL 10

Accepted Solution

by:
pand0ra_usa earned 2000 total points
ID: 35517963
Do you know which application caused the violation? If so, do a "netstat -a -b" to show the ports the system is listening on. What is your goal here? Are you just trying to find the port the application is listening on?


To use nmap to show a list of open ports run the following command:

nmap -vv -sT -NP -sV <ip address>
or
nmap -vv -sS -NP -sV <ip address>

Another application you may want to look at is called "Process Hacker". It is like the Windows Process Manager but on steroids. It can cycle through all of the PIDs to see if there are any hidden processes (probably not an issue for you though). It will also tell you what processes are listening on any specific TCP/UDP port.

0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
Last month Marc Laliberte, WatchGuard’s Senior Threat Analyst, contributed reviewed the three major email authentication anti-phishing technology standards: SPF, DKIM, and DMARC. Learn more in part 2 of the series originally posted in Cyber Defense …
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question