Hello All:

For the past several days, our virus software has found and deleted a
backdoor trojan which was destined for our webserver. This came from the
outside, not in since no other clients on the network show any signs of
infections.

My question is this. How are these files being sent to the server. Is it
possible that they are coming in on port 80?
If not, how?

Thanks

KC

SORRY - DUPLICATE POST
[quoted text, click to view]

It is possible (and very likely) that they are coming in over TCP port 80
(or UDP 53 -- used for DNS resolution).

Viruses will use ports that are likely to be opened (as mentioned TCP 80,
TCP 443, UDP 53, TCP 25, ...).

When I setup servers for my customers, I usually try to define rules on the
firewall that would prevent complete access to the internet from the servers
(but not the other way -- access from the internet to the server so that
visitors are able to access public websites). This way, I can prevent
administrators surfing the internet from the server and getting infected
from web sites (protects from viruses, spyware etc).
This doesn't prevent infection that would come from inside (e.g. internal
network)...

--
Mike
Microsoft MVP - Windows Security

[quoted text, click to view]