Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SBS 2008 and Combofix


  • Please log in to reply
No replies to this topic

#1 LorenzoC

LorenzoC

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:18 AM

Posted 06 December 2011 - 09:21 AM

Have a client that is being blacklisted :
This IP is infected with, or is NATting for a machine infected with Torpig, also known by Symantec as Anserin.

This was detected by observing this IP attempting to make contact to a Torpig Command and Control server at 84.163.183.212, with contents unique to Torpig C&C command protocols.

Torpig is a banking trojan, specializing in stealing personal information (passwords, account information, etc) from interactions with banking sites.

Torpig is normally dropped by Mebroot. Mebroot is a Rootkit that installs itself into the MBR (Master Boot Record).

With Mebroot or any other rootkit that installs itself into the MBR, you will either have to use a "MBR cleaner" or reformat the drive completely - even if you manage to remove Torpig, the MBR infection will cause it to be reinfected again.

The best way to find the machine responsible is to look for connections to the Torpig C&C server. This detection was made through a connection to 84.163.183.212, but this changes periodically. To find these infections, we suggest you search for TCP/IP connections in the following ranges:

I think and am a bit convinced it is the server, however, nothing is picking it up.

I know that combofix will if I run it.
Can I run combofix on an SBS2008 server thats running file services as well as exchange?

Thanks

BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users