Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Recycle Bin Has been Hacked!

Posted on 2004-08-03
13
Medium Priority
?
1,007 Views
Last Modified: 2011-10-03
I am embarrased to say that someone has hacked my server.  The server OS is Win2k and it is running IIS 5.0, SQL 7.0, Serv-U 3.0, and BlackIce Firewall.  The server has all patches applied on a regular basis, however the IIS lockdown tool has not been run on this server.  The problem is that there is about 15GB worth of warez in the Recycler Folder with the following directory structure aux - lol - 06 - all - off - lamer - com1 - und - stealer - prn.  I have checked all user permission in SERV-U and none of them have access to anything but the appropriate folders.  I have locked down all ports in the firewall except 20, 21, 80, and 443.  Where should I start to close the vunerability in this system?  Are there any security tools that could help to diagnose security openings?  

Thanks
0
Comment
Question by:brennon
  • 5
  • 4
  • 2
  • +2
13 Comments
 
LVL 32

Expert Comment

by:LucF
ID: 11708348
Hi brennon,

Check your IIS logfiles, which you can find at %windir%\System32\LogFiles by default.
There you'll have some folders, look around in those folders for the logfiles, see if you can find anything strange in there. Could be all kinds of things, things like a high amount of blocked attempts from the same IP address might mean something.
Look around the time this first started happening.

At this moment, you most likely have a backdoor on your system, so you'll have to start doing a full virusscan (use an online scanner like http://housecall.antivirus.com to start with) See if any ports are opened other than those you mentioned using symantecs security scanner or such: http://security.symantec.com/

Greetings,

LucF
0
 
LVL 3

Expert Comment

by:andrey_2007
ID: 11708501
Regarding the second part of your question, there are plenty of tools that can scan your server and give you a list of all the securty openings. One of the better ones for windows, is Retina by Eeye. I am a security consultant and I have Retina, if you want I could scan your server for you. It'll take about about 20 min.
0
 
LVL 1

Expert Comment

by:potuncle
ID: 11709835
Don't be embarrased that someone hacked into you IIS server. There will always be security holes. If possible swap it out with a Linux or OS X server. They are not perfect either, but are made much more secure much more easily.

Jason
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:brennon
ID: 11711616
I have run the symantec security scanner on this system and I also ran Retina Security Scanner against it.  The only weird thing I found was that port 456 was open.  Port 456 is MACON - TCP, not real sure if this is relevent.  I have also tested to see if my FTP was allowing anonymous access and it is not.  Anyone know where to look next?

Thanks
0
 
LVL 32

Expert Comment

by:LucF
ID: 11712739
According to http://www.by-users.co.uk/faqs/security/which-port/ port 456 is used by a trojan named "Hackers Paradise"
What I could find on this trojan:

Hackers Paradise is a trojan from 1997. Hackers Paradise's client is able to do the features listed locally and remotely. This means you can use Hackers Paradise on your computer to find your RAS passwords or the client could be used to connect to a computer running the server and find the RAS passwords.  

The default name is "trojan.exe" see if you have this running on your server.

LucF
0
 

Author Comment

by:brennon
ID: 11715559
I did a search of the entire server and could not find trojan.exe.  I dont know where to go next with this, the server seems to be secure but obviously it is not.  Any more suggestions?
0
 
LVL 32

Expert Comment

by:LucF
ID: 11715688
Please arm yourself with hijackthis:
http://aumha.org/downloads/hijackthis.exe

Put it in it's own folder, not on the desktop or in a temporary folder, run it, click "scan" and then "save log" Post the contents of the logfiles here (please mask your domainname, especially as everyone is able to see it)

LucF
0
 
LVL 3

Expert Comment

by:andrey_2007
ID: 11719314
Someone could have possibly used the RPC Dcom vulnerability on you. I'm pretty sure Win2k servers can't fully be patched. I would recommend getting Norton Personal Firewall. It blocks this threat. Also, I've herd of some serious vulnerabilities in Blackice firewalls. You also may want to scan w/ some spyware removers such as Ad-Aware, Spybot, and Spysweeper. They have been known to remove trojans. I also would suggest you running a vulnerability scanner such as retina.
0
 
LVL 3

Expert Comment

by:fatlad
ID: 11720409
potuncle,
Great idea I can see brennon thinking "I have problems securing a system that is reletively restrictive in what I can do with it and has masses of comercial software to help me. I know I will dump that and use an incredibly flexible system that can be configured in a myriad of different ways!"

Oh look it's got a penguin on it, it must be secure!! The number of dodgy linux setups I have seen, it beggars belief! lol at this http://www.theregister.co.uk/2004/05/04/bofh_2004_episode_14/
0
 

Author Comment

by:brennon
ID: 11731314
I ran ad-aware and came up with nothing.  Here is the hi-jack this log.

Logfile of HijackThis v1.98.1
Scan saved at 6:13:23 PM, on 8/5/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\CFUSION\bin\cfserver.exe
C:\CFUSION\bin\cfexec.exe
C:\CFUSION\bin\CFRDSService.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\Serv-U\SERVUD~1.EXE
C:\PROGRA~1\Vircom\Radius\VPRWatch.exe
C:\PROGRA~1\Vircom\Radius\VPRRS.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\bentaa\beremote.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\locator.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\mdm.exe
C:\Program Files\Serv-U\ServUTray.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\TEMP\isplogß$.exe
C:\WINNT\TEMP\isplogß$.exe
C:\Documents and Settings\server1234\Desktop\hijackthis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [ServUTrayIcon] C:\Program Files\Serv-U\ServUTray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [winsys.exe] C:\winnt\system32\winsys.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/sa/common/common/bin/cabsa.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw3fd.law3.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nodomain.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C574B85-98FF-4E6C-9A56-C97197D6000F}: NameServer =
O17 - HKLM\System\CCS\Services\Tcpip\..\{A68B742C-0412-4B9A-9CCF-4455D831AB27}: NameServer = 172.16.1.253
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nodomain.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nodomain.com
0
 
LVL 32

Accepted Solution

by:
LucF earned 1400 total points
ID: 11731391
Yep, this is the one bugging you:
O4 - HKLM\..\Run: [winsys.exe] C:\winnt\system32\winsys.exe

To get rid of this one, run hijackthis, tick the checkbox in front of that line and click "fix checked"
Then reboot the computer into safemode and delete C:\winnt\system32\winsys.exe
Afterwards, boot normally again and check if the port is still open.

LucF
0
 

Author Comment

by:brennon
ID: 11731965
I really appreciate all the help on this one.  The only thing bugging me now is that it appears that was a key logger, man oh man.

0
 
LVL 32

Expert Comment

by:LucF
ID: 11733197
Glad to help :)

Now, to finally clean up the mess, you'll have to consider changing all passwords (I know it's a lot of work, but better safe than sorry) Also look for strange Credentials on your computer, if you find them, set them disabled, don't delete them. You might be able to track something down if they try to login to it.

LucF
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question