Hi all, I have a dedicated hosted server which I can use RDP to access it. This server runs IIS, MySQL and MS-DNS (secondary). Yesterday I logged on the server and I saw that the server has been infected with Win32/Parite.B. I enabled email notifications and got this (among with other files infected): 18/5/2007 19:13:48 ?? - AMON - File system monitor Threat Alert triggered on XXXXXXXXXXX: C:\Program Files\Eset\nod32.exe is infected with Win32/Parite.B virus. 18/5/2007 19:14:47 ?? - AMON - File system monitor Threat Alert triggered on XXXXXXXXXXX: C:\downloads\nentenst.exe is infected with Win32/Parite.B virus. Of course NOD32 reported that CRC is bad and AMON had stopped working. NOD32 was running all the time with automatic updates and had latest signatures. Server is Windows 2003 and had automatic and automatic installation and restart if needed. The server is publicly exposed and there is no firewall to protect it. The server had to be reformatted and setup from scratch as RDP access was dropped after a while (apparently it started infecting the windows system files as well) and my provider couldn't do much after they cleaned the virus in safe mode as in normal mode RDP would crash. What I suspect is that the virus was dropped because: http://www.microsoft.com/technet/security/bulletin/ms07-029.mspx wasn't installed on the server as it should had been very recently released on Windows Update. So, can a virus be dropped using the above mentioned DNS exploit and AMON cannot "catch it"? If yes what can i do to avoid similar issues in the future, because I think that even a firewall wouldn't protect me in this case. If no, please check it
You should enable a firewall but configure it well . Without a firewall , the server is like an open yard , nothing stops anybody. Check with IT/network specialist how to configure the firewall on the server . Ensure NOD32 is set to automatic update and always running. W32 Parite.B is very nasty infection
I am not an expert / firewall expert , you should talk to such person who can really help . This is also a mystery for me , I also think AMON should have caught the virus earlier . May be someone else can give more precise answer . Next time make sure AMON is configured better (for the server the default configuration is fine).
I'm surprised an Eset moderator has not replied... You're probably best off emailing support[at]eset.com for a faster response/personal support, with a link to this thread in the email.
There could be several reasons for that: 1. outdated version of NOD32 at the time of infection 2. AMON disabled at the time of infection 3. detecion for that Parite variant was added after the infection has taken place