I am guilty of an unforgiveable crime. I deployed an unsecured webserver and in IT that is THE ULTIMATE IN STUPIDITY! I am sorry and will not let it happen again. As a result the server was infected and became a zombie covertly attacking other servers. 

The machine was infected with the Downandup/Conficker trojan. This attacks unpatched Windows servers deploys software that prevents the machine from visiting security related websites and running security software. The software also disabled automatic updates on the server, which is a big deal! It was very difficult to remove. In the end tools from McAfee, Norton, Microsoft got rid of the infection. See a list of software that was used to clean the machine below.

So here is a little information on securing a webserver on the cheap. Even though this is not the idea solution it will prevent all but the most determined attacks. All of these solutions are software based. I would recommend a hardware firewall but again, this is the el cheapo solution.

• Ensure that automatic updates are enabled and that the machine is currently updated with the latest OS patches.
• Install a firewall. I’ve reviewed a few options but chose the Outpost Pro Firewall (http://www.agnitum.com/products/outpost/) which was easy to set up, extremely intuitive, had a very good learning mode and was very affordable. It also includes an antispy and web protect component. The web component is used for web surfing, since this is for a web server, no one should be browsing the net from this machine! One configuration setting that is important is to set the firewall to run in stealth mode so it makes it look like the computer simply isn’t there.
• Install an antivirus program. This is optional in my opinion, if you are starting with a clean machine and have sufficiently protected it. However, it is a good idea to periodically run virus scans on the machine.

A list of the software used to remove the infection:

• http://download.microsoft.com/download/4/A/A/4AA524C6-239D-47FF-860B-5B397199CBF8/windows-kb890830-v2.6.exe (Microsoft Malicious Software Removal Tool)
• http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99
• CSI Prevx – This is a paid for tool, however, it detects an EXE file that is related to the infection that the above tools did not detect. In the free mode you can detect the file and manually delete it once you have run the products listed above.

TechRepublic had an interesting article on Botnets and Hosts file pharming. This is something that most people are unaware of while their computers are being silently used by remote attackers. 

http://blogs.techrepublic.com.com/security/?p=738&tag=nl.e036

There are a few tools that I would recommend getting Kaspersky Antivirus 2009 which is a pretty comprehensive threat protection suite.

As one of two technical people at my company I am one of the people who gets called on whenever there is a hardware or software issue of any kind. We have tried to school our users on the dangers of attachments and have implemented software to attempt to prevent viruses entering the network but sometimes they do slip through. Today I had a tough time diagnosing a problem with one of the machines running Windows XP Professional. 

Initially, the computer was just very slow and started with pop ups so I followed the tried and true method of cleaning using Spybot Search & Destroy, AdAware and HiJack This!. After running these three programs and restarting the desktop (i.e. explorer.exe) would not load at all, not even in Safe Mode. Needless to say, panic started to set in! We were running ClamWin on that specific machine and well, I hate to say this but, it is crap. It does not protect the computer actively and cannot remove many of the infections that were found on the system. So I put a proper antivirus program on there, Kaspersky 2009. This was able to find infections but could not remove a particularly troublesome one that was disguised as svchost.exe. So after browsing Google for a while I was able to find a reference to SDFix.exe which solved most of my problems. After downloading and following the instructions the desktop once again loaded and Kaspersky was able to destroy the other infections.

So I’m going to add SDFix to my arsenal of spyware removal tools and so should you!