Recycle Bin Has been Hacked!

Hi brennon,

Check your IIS logfiles, which you can find at %windir%\System32\LogFiles by default.
There you'll have some folders, look around in those folders for the logfiles, see if you can find anything strange in there. Could be all kinds of things, things like a high amount of blocked attempts from the same IP address might mean something.
Look around the time this first started happening.

At this moment, you most likely have a backdoor on your system, so you'll have to start doing a full virusscan (use an online scanner like http://housecall.antivirus.com to start with) See if any ports are opened other than those you mentioned using symantecs security scanner or such: http://security.symantec.com/

Greetings,

LucF

Regarding the second part of your question, there are plenty of tools that can scan your server and give you a list of all the securty openings. One of the better ones for windows, is Retina by Eeye. I am a security consultant and I have Retina, if you want I could scan your server for you. It'll take about about 20 min.

Don't be embarrased that someone hacked into you IIS server. There will always be security holes. If possible swap it out with a Linux or OS X server. They are not perfect either, but are made much more secure much more easily.

Jason

I have run the symantec security scanner on this system and I also ran Retina Security Scanner against it.  The only weird thing I found was that port 456 was open.  Port 456 is MACON - TCP, not real sure if this is relevent.  I have also tested to see if my FTP was allowing anonymous access and it is not.  Anyone know where to look next?

Thanks

According to http://www.by-users.co.uk/faqs/security/which-port/ port 456 is used by a trojan named "Hackers Paradise"
What I could find on this trojan:

Hackers Paradise is a trojan from 1997. Hackers Paradise's client is able to do the features listed locally and remotely. This means you can use Hackers Paradise on your computer to find your RAS passwords or the client could be used to connect to a computer running the server and find the RAS passwords.  

The default name is "trojan.exe" see if you have this running on your server.

LucF

I did a search of the entire server and could not find trojan.exe.  I dont know where to go next with this, the server seems to be secure but obviously it is not.  Any more suggestions?

Please arm yourself with hijackthis:
http://aumha.org/downloads/hijackthis.exe

Put it in it's own folder, not on the desktop or in a temporary folder, run it, click "scan" and then "save log" Post the contents of the logfiles here (please mask your domainname, especially as everyone is able to see it)

LucF

Someone could have possibly used the RPC Dcom vulnerability on you. I'm pretty sure Win2k servers can't fully be patched. I would recommend getting Norton Personal Firewall. It blocks this threat. Also, I've herd of some serious vulnerabilities in Blackice firewalls. You also may want to scan w/ some spyware removers such as Ad-Aware, Spybot, and Spysweeper. They have been known to remove trojans. I also would suggest you running a vulnerability scanner such as retina.

potuncle,
Great idea I can see brennon thinking "I have problems securing a system that is reletively restrictive in what I can do with it and has masses of comercial software to help me. I know I will dump that and use an incredibly flexible system that can be configured in a myriad of different ways!"

Oh look it's got a penguin on it, it must be secure!! The number of dodgy linux setups I have seen, it beggars belief! lol at this http://www.theregister.co.uk/2004/05/04/bofh_2004_episode_14/

I ran ad-aware and came up with nothing.  Here is the hi-jack this log.

Logfile of HijackThis v1.98.1
Scan saved at 6:13:23 PM, on 8/5/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\CFUSION\bin\cfserver.exe
C:\CFUSION\bin\cfexec.exe
C:\CFUSION\bin\CFRDSService.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\Serv-U\SERVUD~1.EXE
C:\PROGRA~1\Vircom\Radius\VPRWatch.exe
C:\PROGRA~1\Vircom\Radius\VPRRS.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\bentaa\beremote.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\locator.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\mdm.exe
C:\Program Files\Serv-U\ServUTray.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\TEMP\isplogß$.exe
C:\WINNT\TEMP\isplogß$.exe
C:\Documents and Settings\server1234\Desktop\hijackthis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [ServUTrayIcon] C:\Program Files\Serv-U\ServUTray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [winsys.exe] C:\winnt\system32\winsys.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/sa/common/common/bin/cabsa.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw3fd.law3.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nodomain.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C574B85-98FF-4E6C-9A56-C97197D6000F}: NameServer =
O17 - HKLM\System\CCS\Services\Tcpip\..\{A68B742C-0412-4B9A-9CCF-4455D831AB27}: NameServer = 172.16.1.253
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nodomain.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nodomain.com

I really appreciate all the help on this one.  The only thing bugging me now is that it appears that was a key logger, man oh man.

Glad to help :)

Now, to finally clean up the mess, you'll have to consider changing all passwords (I know it's a lot of work, but better safe than sorry) Also look for strange Credentials on your computer, if you find them, set them disabled, don't delete them. You might be able to track something down if they try to login to it.

LucF