Subject Fwd: InterBase Guardian
Author Ann W. Harrison
Hello all,

I got this in my mail this morning... Note that the names aren't quite
right (InterBase Server not ibserver). Mr. McGee says that's what he saw
and that he found nothing on the system with either a Borland or a Firebird
name attached. He has since removed the files but wonders if some Trojan
horse is using the InterBase name...




>From: "James McGee" <daddywolfe@...>
>To: <aharrison@...>
>Subject: InterBase Guardian
>Date: Sun, 8 Feb 2004 22:23:23 -0500
>X-Mailer: Microsoft Outlook Express 6.00.2800.1158
>Today, when I powered up my workstation, I discovered a new set of
>processes running, which I did not install. The first is InterBase
>Server, and the second is InterBase Guardian. I did not install these
>programs or any other software during the previous 24 hours prior to their
>appearance, so I am rather confused as to where they came from.
>Do you know of anything which would have installed them, from a website or
>such? And how are they removed, since I have not been able to locate an
>uninstall of any kind. My review shows the use of these processes, but as
>I have mysql with full access and administrator rights, and mysql is our
>primary server database program, I have no need for these.
>Thank you for your assistance,

----- Original Message -----
From: "Ann W. Harrison" <aharrison@...>
To: "James McGee" <daddywolfe@...>
Sent: Monday, February 09, 2004 12:22 PM
Subject: Re: InterBase Guardian

That's odd. The normal names are IBGuardian and IBServer, but ...
You may find a folder under Program Files called Borland. Under
Borland you should find an InterBase directory containing the
uninstall information. You might look at those directories to
find a clue as to how they appeared. To the best of my knowledge,
Borland does not do automatic installations on random workstations,
though the database is distributed with Delphi.



From: "James McGee" <daddywolfe@...>
To: "Ann W. Harrison" <aharrison@...>
Subject: Re: InterBase Guardian
Date: Mon, 9 Feb 2004 13:40:39 -0500
X-Mailer: Microsoft Outlook Express 6.00.2800.1158


Thank you for your assistance on the problem. I did a few more checks and
did not find a Borland folder or any of the InterBase files. I ran a search
of the computer for any files which matched the ones in your install, and
was unable to locate them. I then traces the running processes back to some
keys in the registry and some files in the windows/system folder. I have
removed them, along with a scan of the entire system for anything related,
and found nothing. Thus I believe my system is clean. This is one of the
reasons I hate windows and prefer unix.
I would suggest that you have somebody start checking to see if one of the
hacker groups has started using your software name to hide a new trojan or
Sorry to be a bother, and take care.

James McGee