RE: [hlds] .NET, IIS, MS-SQL and dedicated servers

[Adam Sando]

Whats a trogan?

Sounds like a mythical beast - a troll crossed between a ogre, with some
bogan mixed in ;)

My 2c worth: I would say take the server offline, identify whether it's
a real trojan or not, and follow removal instructions where applicable.
I would do my research before blowing the server away and starting
again, depending on how much time you have available to investigate.

Re-installation, depending on your server configuration, could be more
time consuming than just fixing the problem, however each server admin
has their own style - so I think weigh up the options and pick an
approach based on your constraints.

Regards,
Adam

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steven Hartland
Sent: Tuesday, 15 August 2006 12:06 AM
To: hlds@list.valvesoftware.com
Subject: Re: [hlds] .NET, IIS, MS-SQL and dedicated servers

Good move NOT!!

If you have had a trogan you dont know what they have touched.
You remove the initial trogan and they may have installed any number of
things on timers to trigger on a certain action or time what ever.

Reinstall is the only way to be sure and its not like it takes long.
Wait and see is asking for trouble.

Steve
Edward Luna wrote:
> A bit drastic to go offline and reinstall from scratch... I'm not
> saying absolutely never, but it's not the first thing I'd do.  If the
> Trojan is removed... and no other intruders are detected via the
> appropriate scans... and all non-essential ports are closed... and the

> server is running fine; I'd wait and see.




This e.mail is private and confidential between Multiplay (UK) Ltd. and
the person or entity to whom it is addressed. In the event of
misdirection, the recipient is prohibited from using, copying, printing
or otherwise disseminating it or any information contained in it.

In the event of misdirection, illegible or incomplete transmission
please telephone +44 845 868 1337 or return the E.mail to
[EMAIL PROTECTED]


___
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

RE: [hlds] .NET, IIS, MS-SQL and dedicated servers

[Edward Luna]

You're getting paranoid Ripley.

-Original Message-
From: DLinkOZ [mailto:[EMAIL PROTECTED]
Sent: Monday, August 14, 2006 10:57 AM
To: hlds@list.valvesoftware.com
Subject: RE: [hlds] .NET, IIS, MS-SQL and dedicated servers


Ditto - nuke it from orbit, you have absolutely NO idea what someone has
or
has not done to the box.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steven Hartland
Sent: Monday, August 14, 2006 9:36 AM
To: hlds@list.valvesoftware.com
Subject: Re: [hlds] .NET, IIS, MS-SQL and dedicated servers

Good move NOT!!

If you have had a trogan you dont know what they have touched.
You remove the initial trogan and they may have installed any number of
things on timers to trigger on a certain action or time what ever.

Reinstall is the only way to be sure and its not like it takes long.
Wait
and see is asking for trouble.

Steve
Edward Luna wrote:
> A bit drastic to go offline and reinstall from scratch... I'm not
> saying absolutely never, but it's not the first thing I'd do.  If the
> Trojan is removed... and no other intruders are detected via the
> appropriate scans... and all non-essential ports are closed... and the
> server is running fine; I'd wait and see.




This e.mail is private and confidential between Multiplay (UK) Ltd. and
the
person or entity to whom it is addressed. In the event of misdirection,
the
recipient is prohibited from using, copying, printing or otherwise
disseminating it or any information contained in it.

In the event of misdirection, illegible or incomplete transmission
please
telephone +44 845 868 1337 or return the E.mail to
[EMAIL PROTECTED]


___
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
http://list.valvesoftware.com/mailman/listinfo/hlds




___
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
http://list.valvesoftware.com/mailman/listinfo/hlds


___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

RE: [hlds] .NET, IIS, MS-SQL and dedicated servers

[Edward Luna]

Agreed... that's why I said "and no other intruders are detected via the
appropriate scans..."

There are effective detection and removal packages available and should
be used with regularity.  Simply knee jerk reactions and a total
reinstall is overkill and seldom your only solution.  It may very well
be required, if all else fails but certainly not your only... or even
optimal, course of action.



-Original Message-
From: Steven Hartland [mailto:[EMAIL PROTECTED]
Sent: Monday, August 14, 2006 10:36 AM
To: hlds@list.valvesoftware.com
Subject: Re: [hlds] .NET, IIS, MS-SQL and dedicated servers


Good move NOT!!

If you have had a trogan you dont know what they have touched.
You remove the initial trogan and they may have installed any
number of things on timers to trigger on a certain action or
time what ever.

Reinstall is the only way to be sure and its not like it
takes long. Wait and see is asking for trouble.

Steve
Edward Luna wrote:
> A bit drastic to go offline and reinstall from scratch... I'm not
> saying
> absolutely never, but it's not the first thing I'd do.  If the Trojan
> is
> removed... and no other intruders are detected via the appropriate
> scans... and all non-essential ports are closed... and the server is
> running fine; I'd wait and see.




This e.mail is private and confidential between Multiplay (UK) Ltd. and
the person or entity to whom it is addressed. In the event of
misdirection, the recipient is prohibited from using, copying, printing
or otherwise disseminating it or any information contained in it.

In the event of misdirection, illegible or incomplete transmission
please telephone +44 845 868 1337
or return the E.mail to [EMAIL PROTECTED]


___
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
http://list.valvesoftware.com/mailman/listinfo/hlds


___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

RE: [hlds] .NET, IIS, MS-SQL and dedicated servers

[DLinkOZ]

Ditto - nuke it from orbit, you have absolutely NO idea what someone has or
has not done to the box.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steven Hartland
Sent: Monday, August 14, 2006 9:36 AM
To: hlds@list.valvesoftware.com
Subject: Re: [hlds] .NET, IIS, MS-SQL and dedicated servers

Good move NOT!!

If you have had a trogan you dont know what they have touched.
You remove the initial trogan and they may have installed any number of
things on timers to trigger on a certain action or time what ever.

Reinstall is the only way to be sure and its not like it takes long. Wait
and see is asking for trouble.

Steve
Edward Luna wrote:
> A bit drastic to go offline and reinstall from scratch... I'm not
> saying absolutely never, but it's not the first thing I'd do.  If the
> Trojan is removed... and no other intruders are detected via the
> appropriate scans... and all non-essential ports are closed... and the
> server is running fine; I'd wait and see.




This e.mail is private and confidential between Multiplay (UK) Ltd. and the
person or entity to whom it is addressed. In the event of misdirection, the
recipient is prohibited from using, copying, printing or otherwise
disseminating it or any information contained in it.

In the event of misdirection, illegible or incomplete transmission please
telephone +44 845 868 1337 or return the E.mail to
[EMAIL PROTECTED]


___
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
http://list.valvesoftware.com/mailman/listinfo/hlds




___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] .NET, IIS, MS-SQL and dedicated servers

[Steven Hartland]

Good move NOT!!

If you have had a trogan you dont know what they have touched.
You remove the initial trogan and they may have installed any
number of things on timers to trigger on a certain action or
time what ever.

Reinstall is the only way to be sure and its not like it
takes long. Wait and see is asking for trouble.

   Steve
Edward Luna wrote:

A bit drastic to go offline and reinstall from scratch... I'm not
saying
absolutely never, but it's not the first thing I'd do.  If the Trojan
is
removed... and no other intruders are detected via the appropriate
scans... and all non-essential ports are closed... and the server is
running fine; I'd wait and see.





This e.mail is private and confidential between Multiplay (UK) Ltd. and the 
person or entity to whom it is addressed. In the event of misdirection, the 
recipient is prohibited from using, copying, printing or otherwise 
disseminating it or any information contained in it.

In the event of misdirection, illegible or incomplete transmission please 
telephone +44 845 868 1337
or return the E.mail to [EMAIL PROTECTED]


___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

RE: [hlds] .NET, IIS, MS-SQL and dedicated servers

[Edward Luna]

A bit drastic to go offline and reinstall from scratch... I'm not saying
absolutely never, but it's not the first thing I'd do.  If the Trojan is
removed... and no other intruders are detected via the appropriate
scans... and all non-essential ports are closed... and the server is
running fine; I'd wait and see.

-Original Message-
From: Steven Hartland [mailto:[EMAIL PROTECTED]
Sent: Monday, August 14, 2006 9:05 AM
To: hlds@list.valvesoftware.com
Subject: Re: [hlds] .NET, IIS, MS-SQL and dedicated servers


If you found a trogan dont mess around, take the box offline now
format and reinstall from scratch.

Steve
Valdimar Kristjánsson wrote:
> I found a trojan that I read was something that allowed remote admin
> on my server . I killed it but I don't know how long it's been there
or
> if someone has been doing something on my server.




This e.mail is private and confidential between Multiplay (UK) Ltd. and
the person or entity to whom it is addressed. In the event of
misdirection, the recipient is prohibited from using, copying, printing
or otherwise disseminating it or any information contained in it.

In the event of misdirection, illegible or incomplete transmission
please telephone +44 845 868 1337
or return the E.mail to [EMAIL PROTECTED]


___
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
http://list.valvesoftware.com/mailman/listinfo/hlds


___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

RE: [hlds] .NET, IIS, MS-SQL and dedicated servers

[Edward Luna]

If I may... personal opinion... all ports should be closed to initial
connections from the outside unless you specifically require some to be
open in order to allow Internet access to a server you are running.  I
see no valid exceptions to this basic security policy.  If you have not
taken steps to close all non-essential ports they are probably open.

-Original Message-
From: Frazer [mailto:[EMAIL PROTECTED]
Sent: Monday, August 14, 2006 9:02 AM
To: hlds@list.valvesoftware.com
Subject: RE: [hlds] .NET, IIS, MS-SQL and dedicated servers


Well - this is a bit off-topic now but...

Almost all external inbound connections on port 1433 should be
considered
hostile.  UDP and TCP ports 1433 are used by MS SQL server and should be
blocked outside your network.  If you require MS SQL access, across the
public internet, you should consider some kind of VPN solution. There
are
several scanning worms and trojans which attempt to exploit this attack
surface.

I will send a note to your email address and we can continue this
discussion
off-list, if you like.


Frazer


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Valdimar
Kristjánsson
Sent: Monday, August 14, 2006 9:43 AM
To: hlds@list.valvesoftware.com
Subject: RE: [hlds] .NET, IIS, MS-SQL and dedicated servers

Hi,

I managed to kill the faulty process.
It was a website statistics program that I installed a year ago.
I don't know why this started acting up now but when I killed it
everything
works ok.
Now I've contacted my host and they've opened access to port 27015 so if
you
could check whether you can see my server in Steam it would be greatly
appreciated.
212.247.101.20:27015

Another question regarding security:

What software are people using to detect break-ins and such on their
servers?
through netstat in cmd I found an IP connecting to my computer from
Russia
on port 1433. I think the port is closed but I'm not sure. Could this be
dangerous?
I found a trojan that I read was something that allowed remote admin on
my
server . I killed it but I don't know how long it's been there or if
someone
has been doing something on my server.

Any tips on securing a server running HL2?

Thanks,
   Valdimar Kristjánsson
[EMAIL PROTECTED]
http://www.eleanetwork.com
  mobile : 354-00-6932062

___
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
http://list.valvesoftware.com/mailman/listinfo/hlds


___
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
http://list.valvesoftware.com/mailman/listinfo/hlds


___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

RE: [hlds] .NET, IIS, MS-SQL and dedicated servers

[Edward Luna]

Server not responding on 08/14/2006 @ 10:15 am Eastern.

-Original Message-
From: Valdimar Kristjánsson [mailto:[EMAIL PROTECTED]
Sent: Monday, August 14, 2006 8:43 AM
To: hlds@list.valvesoftware.com
Subject: RE: [hlds] .NET, IIS, MS-SQL and dedicated servers


Hi,

I managed to kill the faulty process.
It was a website statistics program that I installed a year ago.
I don't know why this started acting up now but when I killed it
everything works ok.
Now I've contacted my host and they've opened access to port 27015 so
if you could check whether you can see my server in Steam it would be
greatly appreciated.
212.247.101.20:27015

Another question regarding security:

What software are people using to detect break-ins and such on their
servers?
through netstat in cmd I found an IP connecting to my computer from
Russia on port 1433. I think the port is closed but I'm not sure. Could
this be dangerous?
I found a trojan that I read was something that allowed remote admin on
my server . I killed it but I don't know how long it's been there or if
someone has been doing something on my server.

Any tips on securing a server running HL2?

Thanks,
   Valdimar Kristjánsson
[EMAIL PROTECTED]
http://www.eleanetwork.com
  mobile : 354-00-6932062

___
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
http://list.valvesoftware.com/mailman/listinfo/hlds


___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] .NET, IIS, MS-SQL and dedicated servers

[Steven Hartland]

If you found a trogan dont mess around, take the box offline now
format and reinstall from scratch.

   Steve
Valdimar Kristjánsson wrote:

I found a trojan that I read was something that allowed remote admin
on my server . I killed it but I don't know how long it's been there or
if someone has been doing something on my server.





This e.mail is private and confidential between Multiplay (UK) Ltd. and the 
person or entity to whom it is addressed. In the event of misdirection, the 
recipient is prohibited from using, copying, printing or otherwise 
disseminating it or any information contained in it.

In the event of misdirection, illegible or incomplete transmission please 
telephone +44 845 868 1337
or return the E.mail to [EMAIL PROTECTED]


___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

RE: [hlds] .NET, IIS, MS-SQL and dedicated servers

[Frazer]

Well - this is a bit off-topic now but...

Almost all external inbound connections on port 1433 should be considered
hostile.  UDP and TCP ports 1433 are used by MS SQL server and should be
blocked outside your network.  If you require MS SQL access, across the
public internet, you should consider some kind of VPN solution. There are
several scanning worms and trojans which attempt to exploit this attack
surface.

I will send a note to your email address and we can continue this discussion
off-list, if you like.


Frazer


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Valdimar
Kristjánsson
Sent: Monday, August 14, 2006 9:43 AM
To: hlds@list.valvesoftware.com
Subject: RE: [hlds] .NET, IIS, MS-SQL and dedicated servers

Hi,

I managed to kill the faulty process.
It was a website statistics program that I installed a year ago.
I don't know why this started acting up now but when I killed it everything
works ok.
Now I've contacted my host and they've opened access to port 27015 so if you
could check whether you can see my server in Steam it would be greatly
appreciated.
212.247.101.20:27015

Another question regarding security:

What software are people using to detect break-ins and such on their
servers?
through netstat in cmd I found an IP connecting to my computer from Russia
on port 1433. I think the port is closed but I'm not sure. Could this be
dangerous?
I found a trojan that I read was something that allowed remote admin on my
server . I killed it but I don't know how long it's been there or if someone
has been doing something on my server.

Any tips on securing a server running HL2?

Thanks,
   Valdimar Kristjánsson
[EMAIL PROTECTED]
http://www.eleanetwork.com
  mobile : 354-00-6932062

___
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
http://list.valvesoftware.com/mailman/listinfo/hlds


___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

RE: [hlds] .NET, IIS, MS-SQL and dedicated servers

[Valdimar Kristjánsson]

Hi,

I managed to kill the faulty process.
It was a website statistics program that I installed a year ago.
I don't know why this started acting up now but when I killed it
everything works ok.
Now I've contacted my host and they've opened access to port 27015 so
if you could check whether you can see my server in Steam it would be
greatly appreciated.
212.247.101.20:27015

Another question regarding security:

What software are people using to detect break-ins and such on their servers?
through netstat in cmd I found an IP connecting to my computer from
Russia on port 1433. I think the port is closed but I'm not sure. Could
this be dangerous?
I found a trojan that I read was something that allowed remote admin on
my server . I killed it but I don't know how long it's been there or if
someone has been doing something on my server.

Any tips on securing a server running HL2?

Thanks,
  Valdimar Kristjánsson
   [EMAIL PROTECTED]
http://www.eleanetwork.com
 mobile : 354-00-6932062

___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

Re: [hlds] .NET, IIS, MS-SQL and dedicated servers

[Whisper]

--
[ Picked text/plain from multipart/alternative ]
Thank you,
Valdimar Kristjánsson, CTO
00 (+354) 693 2062_

What country code is 00?

On 8/14/06, Valdimar Kristjansson <[EMAIL PROTECTED]> wrote:
>
> Thanks Frazer,
>
> I found an entry in the registry as you described it.
> The ASP.NET tab (which is what I meant) is back.
> I'm still not able to get my main webpage (or the web services) to start
> in IIS.
>
> "The process can not be started because it's being used by another
> process" is a loose translation of the error message (the server OS is
> in Swedish much to my frustration since I don't speak Swedish).
>
> It seems that restarting the computer over and over again isn't working
> anymore.
> I found this article on the microsoft website:
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;813368 but I
> can't test it until I get a hold of my server hoster on monday.
>
>
> Valdimar Kristjánsson, CTO
> 00 (+354) 693 2062_
> [EMAIL PROTECTED] ; _www.eleanetwork.com_
> 
>
> This communication is solely intended for the addressee, it may be
> confidential and it is not for third party distribution.
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds
>
--

___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

RE: [hlds] .NET, IIS, MS-SQL and dedicated servers

[Valdimar Kristjansson]

Thanks Frazer,

I found an entry in the registry as you described it.
The ASP.NET tab (which is what I meant) is back.
I'm still not able to get my main webpage (or the web services) to start
in IIS.

"The process can not be started because it's being used by another
process" is a loose translation of the error message (the server OS is
in Swedish much to my frustration since I don't speak Swedish).

It seems that restarting the computer over and over again isn't working
anymore.
I found this article on the microsoft website:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;813368 but I
can't test it until I get a hold of my server hoster on monday.


Valdimar Kristjánsson, CTO
00 (+354) 693 2062_
[EMAIL PROTECTED] ; _www.eleanetwork.com_


This communication is solely intended for the addressee, it may be
confidential and it is not for third party distribution.

___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds

RE: [hlds] .NET, IIS, MS-SQL and dedicated servers

[Frazer]

I run all three just fine and as far as I know, there are no conflicts.

Do you mean "ASP tab" or "ASP.NET" tab?  There is an known (and poorly
publicized) issue when upgrading from earlier beta versions of the .Net
Framework 2.0, if the previous version is not uninstalled first.  This can
cause the ASP.NET tab to disappear in the IIS MMC.  I am not sure if this is
your problem. However, you might try this - no guarantees, of course (back
up your registry first!):

Check the following 3 keys:

HKEY_CLASSES_ROOT\CLSID\{7D23CCC6-A390-406E-AB67-2F8B7558F6F6}\InprocServer3
2
HKEY_CLASSES_ROOT\CLSID\{FD5CD8B1-6FE0-44F3-BBFB-65E3655B096E}
\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{FEDB2179-2335-48F0-AA28-5CDA35A2B36D}\InprocServer3
2

For each:

Expand InProcServer32, look for the presence of any 2.0.x.x (example
2.0.36.0) key and remove it.
DO NOT REMOVE the 2.0.0.0 keys

Restart IIS and close and reopen your MMC console.

Hope this helps,

Frazer

p.s.  thanks for trying ogsWatcher!




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Valdimar
Kristjansson
Sent: Sunday, August 13, 2006 4:57 PM
To: hlds@list.valvesoftware.com
Subject: [hlds] .NET, IIS, MS-SQL and dedicated servers

Hi,

I just set up a HL2DM server on my existing win2003 server which is running
MS-SQL server and, web page and a couple of .NET web services.
After setting up the server my web page refused to start and complained that
it was being used by another process (restarting 2x seems to fix this).
I then wanted to use ogsWatcher to start my server automatically and needed
to install .NET 2.0 but I was running .NET 2.0 beta before that.
After installing 2.0 the ASP tab disappeared from the IIS manager and the
shortcut to the IIS manager also disappeared from the administrative tools
folder (I can still start it through the Start->Run->inetmgr) Anyone else
having problems with the 2.0 version of .NET with IIS 6.0 ?
Is anyone running a source server alongside MS-SQL and IIS successfully?

Thank you,
Valdimar Kristjánsson, CTO
00 (+354) 693 2062_
[EMAIL PROTECTED] ; _www.eleanetwork.com_


This communication is solely intended for the addressee, it may be
confidential and it is not for third party distribution.

___
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
http://list.valvesoftware.com/mailman/listinfo/hlds


___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds