-1

We have Tomcat 6 in the production server with Symantec Endpoint Protection on windows server 2008 server datacenter. Symantec showing following lines in logs

[SID: 27068] System Infected: Trojan.Naid Activity 2 attack blocked. Traffic has been blocked for this application: \DEVICE\HARDDISKVOLUME4\TOMCAT 6.0\BIN\TOMCAT6.EXE

It is clearly showing system Infected. What is Trojan.Naid exactly? What could be exactly infected in our system? Whether Windows and Tomcat combination is dangerous in production servers?

Pawan Patil
  • 397
  • 3
  • 11
  • 1
    Possible duplicate of [How do I deal with a compromised server?](https://security.stackexchange.com/questions/39231/how-do-i-deal-with-a-compromised-server) – Philipp Oct 30 '18 at 09:09
  • That question don't have specific answer related to System Infected: Trojan.Naid Activity – Pawan Patil Oct 30 '18 at 09:11
  • Are you aware that anti-virus sites have pages that document what their findings mean? https://www.symantec.com/security-center/writeup/2012-061518-4639-99 – schroeder Oct 30 '18 at 20:20
  • 1
    The vendor provides the documentation you are looking for for `Trojan.Naid`. The alert tells you what is infected. Your question about whether Windows and Tomcat combination is dangerous is an odd question when [Tomcat 6 went end-of-life in 2016](https://tomcat.apache.org/tomcat-60-eol.html). Tomcat is not the problem, but the fact that you are using an out of support piece of software. Tomcat is now at 9.0. – schroeder Oct 30 '18 at 20:26

1 Answers1

1

From here:

Trojan.Naid is a Trojan horse that opens a back door on the compromised computer.

When the Trojan is executed, it creates the following files:

%UserProfile%\AppMgmt.dll %Windir%\Temp\uid.ax

The Trojan creates the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\AppMgmt\"Start" = "2" HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\AppMgmt\Parameters\"ServiceDll" = "%UserProfile%\AppMgmt.dll" HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\AppMgmt\"Type" = "272" HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\AppMgmt\"FailureActions" = "[BINARY DATA]"

The Trojan may create one of the following services so that it runs every time Windows starts:

AppMgmt BITS

The Trojan collects the following system information from the compromised computer:

domain name unique identifier (UID)

The Trojan utilises its own custom communications protocol to connect to the following IP address over port 443: 219.90.117.132

The Trojan then opens a back door on the compromised computer.

So you should inspect at least mentioned paths, keys and services.

But trojan could be modified, so I'd also recommend to inspect network connections using netstat or Process Monitor and other tools from Sysinternals Suite.

odo
  • 692
  • 4
  • 6