?
Solved

Recycle Bin Has been Hacked!

Posted on 2004-08-03
13
Medium Priority
?
1,004 Views
Last Modified: 2011-10-03
I am embarrased to say that someone has hacked my server.  The server OS is Win2k and it is running IIS 5.0, SQL 7.0, Serv-U 3.0, and BlackIce Firewall.  The server has all patches applied on a regular basis, however the IIS lockdown tool has not been run on this server.  The problem is that there is about 15GB worth of warez in the Recycler Folder with the following directory structure aux - lol - 06 - all - off - lamer - com1 - und - stealer - prn.  I have checked all user permission in SERV-U and none of them have access to anything but the appropriate folders.  I have locked down all ports in the firewall except 20, 21, 80, and 443.  Where should I start to close the vunerability in this system?  Are there any security tools that could help to diagnose security openings?  

Thanks
0
Comment
Question by:brennon
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
  • +2
13 Comments
 
LVL 32

Expert Comment

by:LucF
ID: 11708348
Hi brennon,

Check your IIS logfiles, which you can find at %windir%\System32\LogFiles by default.
There you'll have some folders, look around in those folders for the logfiles, see if you can find anything strange in there. Could be all kinds of things, things like a high amount of blocked attempts from the same IP address might mean something.
Look around the time this first started happening.

At this moment, you most likely have a backdoor on your system, so you'll have to start doing a full virusscan (use an online scanner like http://housecall.antivirus.com to start with) See if any ports are opened other than those you mentioned using symantecs security scanner or such: http://security.symantec.com/

Greetings,

LucF
0
 
LVL 3

Expert Comment

by:andrey_2007
ID: 11708501
Regarding the second part of your question, there are plenty of tools that can scan your server and give you a list of all the securty openings. One of the better ones for windows, is Retina by Eeye. I am a security consultant and I have Retina, if you want I could scan your server for you. It'll take about about 20 min.
0
 
LVL 1

Expert Comment

by:potuncle
ID: 11709835
Don't be embarrased that someone hacked into you IIS server. There will always be security holes. If possible swap it out with a Linux or OS X server. They are not perfect either, but are made much more secure much more easily.

Jason
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:brennon
ID: 11711616
I have run the symantec security scanner on this system and I also ran Retina Security Scanner against it.  The only weird thing I found was that port 456 was open.  Port 456 is MACON - TCP, not real sure if this is relevent.  I have also tested to see if my FTP was allowing anonymous access and it is not.  Anyone know where to look next?

Thanks
0
 
LVL 32

Expert Comment

by:LucF
ID: 11712739
According to http://www.by-users.co.uk/faqs/security/which-port/ port 456 is used by a trojan named "Hackers Paradise"
What I could find on this trojan:

Hackers Paradise is a trojan from 1997. Hackers Paradise's client is able to do the features listed locally and remotely. This means you can use Hackers Paradise on your computer to find your RAS passwords or the client could be used to connect to a computer running the server and find the RAS passwords.  

The default name is "trojan.exe" see if you have this running on your server.

LucF
0
 

Author Comment

by:brennon
ID: 11715559
I did a search of the entire server and could not find trojan.exe.  I dont know where to go next with this, the server seems to be secure but obviously it is not.  Any more suggestions?
0
 
LVL 32

Expert Comment

by:LucF
ID: 11715688
Please arm yourself with hijackthis:
http://aumha.org/downloads/hijackthis.exe

Put it in it's own folder, not on the desktop or in a temporary folder, run it, click "scan" and then "save log" Post the contents of the logfiles here (please mask your domainname, especially as everyone is able to see it)

LucF
0
 
LVL 3

Expert Comment

by:andrey_2007
ID: 11719314
Someone could have possibly used the RPC Dcom vulnerability on you. I'm pretty sure Win2k servers can't fully be patched. I would recommend getting Norton Personal Firewall. It blocks this threat. Also, I've herd of some serious vulnerabilities in Blackice firewalls. You also may want to scan w/ some spyware removers such as Ad-Aware, Spybot, and Spysweeper. They have been known to remove trojans. I also would suggest you running a vulnerability scanner such as retina.
0
 
LVL 3

Expert Comment

by:fatlad
ID: 11720409
potuncle,
Great idea I can see brennon thinking "I have problems securing a system that is reletively restrictive in what I can do with it and has masses of comercial software to help me. I know I will dump that and use an incredibly flexible system that can be configured in a myriad of different ways!"

Oh look it's got a penguin on it, it must be secure!! The number of dodgy linux setups I have seen, it beggars belief! lol at this http://www.theregister.co.uk/2004/05/04/bofh_2004_episode_14/
0
 

Author Comment

by:brennon
ID: 11731314
I ran ad-aware and came up with nothing.  Here is the hi-jack this log.

Logfile of HijackThis v1.98.1
Scan saved at 6:13:23 PM, on 8/5/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\CFUSION\bin\cfserver.exe
C:\CFUSION\bin\cfexec.exe
C:\CFUSION\bin\CFRDSService.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\Serv-U\SERVUD~1.EXE
C:\PROGRA~1\Vircom\Radius\VPRWatch.exe
C:\PROGRA~1\Vircom\Radius\VPRRS.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\bentaa\beremote.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\locator.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\mdm.exe
C:\Program Files\Serv-U\ServUTray.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\TEMP\isplogß$.exe
C:\WINNT\TEMP\isplogß$.exe
C:\Documents and Settings\server1234\Desktop\hijackthis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [ServUTrayIcon] C:\Program Files\Serv-U\ServUTray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [winsys.exe] C:\winnt\system32\winsys.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/sa/common/common/bin/cabsa.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw3fd.law3.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nodomain.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C574B85-98FF-4E6C-9A56-C97197D6000F}: NameServer =
O17 - HKLM\System\CCS\Services\Tcpip\..\{A68B742C-0412-4B9A-9CCF-4455D831AB27}: NameServer = 172.16.1.253
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nodomain.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nodomain.com
0
 
LVL 32

Accepted Solution

by:
LucF earned 1400 total points
ID: 11731391
Yep, this is the one bugging you:
O4 - HKLM\..\Run: [winsys.exe] C:\winnt\system32\winsys.exe

To get rid of this one, run hijackthis, tick the checkbox in front of that line and click "fix checked"
Then reboot the computer into safemode and delete C:\winnt\system32\winsys.exe
Afterwards, boot normally again and check if the port is still open.

LucF
0
 

Author Comment

by:brennon
ID: 11731965
I really appreciate all the help on this one.  The only thing bugging me now is that it appears that was a key logger, man oh man.

0
 
LVL 32

Expert Comment

by:LucF
ID: 11733197
Glad to help :)

Now, to finally clean up the mess, you'll have to consider changing all passwords (I know it's a lot of work, but better safe than sorry) Also look for strange Credentials on your computer, if you find them, set them disabled, don't delete them. You might be able to track something down if they try to login to it.

LucF
0

Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
Check out what's been happening in the Experts Exchange community.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question