Solved

Recycle Bin Has been Hacked!

Posted on 2004-08-03
13
990 Views
Last Modified: 2011-10-03
I am embarrased to say that someone has hacked my server.  The server OS is Win2k and it is running IIS 5.0, SQL 7.0, Serv-U 3.0, and BlackIce Firewall.  The server has all patches applied on a regular basis, however the IIS lockdown tool has not been run on this server.  The problem is that there is about 15GB worth of warez in the Recycler Folder with the following directory structure aux - lol - 06 - all - off - lamer - com1 - und - stealer - prn.  I have checked all user permission in SERV-U and none of them have access to anything but the appropriate folders.  I have locked down all ports in the firewall except 20, 21, 80, and 443.  Where should I start to close the vunerability in this system?  Are there any security tools that could help to diagnose security openings?  

Thanks
0
Comment
Question by:brennon
  • 5
  • 4
  • 2
  • +2
13 Comments
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11708348
Hi brennon,

Check your IIS logfiles, which you can find at %windir%\System32\LogFiles by default.
There you'll have some folders, look around in those folders for the logfiles, see if you can find anything strange in there. Could be all kinds of things, things like a high amount of blocked attempts from the same IP address might mean something.
Look around the time this first started happening.

At this moment, you most likely have a backdoor on your system, so you'll have to start doing a full virusscan (use an online scanner like http://housecall.antivirus.com to start with) See if any ports are opened other than those you mentioned using symantecs security scanner or such: http://security.symantec.com/

Greetings,

LucF
0
 
LVL 3

Expert Comment

by:andrey_2007
ID: 11708501
Regarding the second part of your question, there are plenty of tools that can scan your server and give you a list of all the securty openings. One of the better ones for windows, is Retina by Eeye. I am a security consultant and I have Retina, if you want I could scan your server for you. It'll take about about 20 min.
0
 
LVL 1

Expert Comment

by:potuncle
ID: 11709835
Don't be embarrased that someone hacked into you IIS server. There will always be security holes. If possible swap it out with a Linux or OS X server. They are not perfect either, but are made much more secure much more easily.

Jason
0
 

Author Comment

by:brennon
ID: 11711616
I have run the symantec security scanner on this system and I also ran Retina Security Scanner against it.  The only weird thing I found was that port 456 was open.  Port 456 is MACON - TCP, not real sure if this is relevent.  I have also tested to see if my FTP was allowing anonymous access and it is not.  Anyone know where to look next?

Thanks
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11712739
According to http://www.by-users.co.uk/faqs/security/which-port/ port 456 is used by a trojan named "Hackers Paradise"
What I could find on this trojan:

Hackers Paradise is a trojan from 1997. Hackers Paradise's client is able to do the features listed locally and remotely. This means you can use Hackers Paradise on your computer to find your RAS passwords or the client could be used to connect to a computer running the server and find the RAS passwords.  

The default name is "trojan.exe" see if you have this running on your server.

LucF
0
 

Author Comment

by:brennon
ID: 11715559
I did a search of the entire server and could not find trojan.exe.  I dont know where to go next with this, the server seems to be secure but obviously it is not.  Any more suggestions?
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 32

Expert Comment

by:Luc Franken
ID: 11715688
Please arm yourself with hijackthis:
http://aumha.org/downloads/hijackthis.exe

Put it in it's own folder, not on the desktop or in a temporary folder, run it, click "scan" and then "save log" Post the contents of the logfiles here (please mask your domainname, especially as everyone is able to see it)

LucF
0
 
LVL 3

Expert Comment

by:andrey_2007
ID: 11719314
Someone could have possibly used the RPC Dcom vulnerability on you. I'm pretty sure Win2k servers can't fully be patched. I would recommend getting Norton Personal Firewall. It blocks this threat. Also, I've herd of some serious vulnerabilities in Blackice firewalls. You also may want to scan w/ some spyware removers such as Ad-Aware, Spybot, and Spysweeper. They have been known to remove trojans. I also would suggest you running a vulnerability scanner such as retina.
0
 
LVL 3

Expert Comment

by:fatlad
ID: 11720409
potuncle,
Great idea I can see brennon thinking "I have problems securing a system that is reletively restrictive in what I can do with it and has masses of comercial software to help me. I know I will dump that and use an incredibly flexible system that can be configured in a myriad of different ways!"

Oh look it's got a penguin on it, it must be secure!! The number of dodgy linux setups I have seen, it beggars belief! lol at this http://www.theregister.co.uk/2004/05/04/bofh_2004_episode_14/
0
 

Author Comment

by:brennon
ID: 11731314
I ran ad-aware and came up with nothing.  Here is the hi-jack this log.

Logfile of HijackThis v1.98.1
Scan saved at 6:13:23 PM, on 8/5/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\CFUSION\bin\cfserver.exe
C:\CFUSION\bin\cfexec.exe
C:\CFUSION\bin\CFRDSService.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\Serv-U\SERVUD~1.EXE
C:\PROGRA~1\Vircom\Radius\VPRWatch.exe
C:\PROGRA~1\Vircom\Radius\VPRRS.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\bentaa\beremote.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\locator.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\mdm.exe
C:\Program Files\Serv-U\ServUTray.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\TEMP\isplogß$.exe
C:\WINNT\TEMP\isplogß$.exe
C:\Documents and Settings\server1234\Desktop\hijackthis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [ServUTrayIcon] C:\Program Files\Serv-U\ServUTray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [winsys.exe] C:\winnt\system32\winsys.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/sa/common/common/bin/cabsa.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw3fd.law3.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nodomain.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C574B85-98FF-4E6C-9A56-C97197D6000F}: NameServer =
O17 - HKLM\System\CCS\Services\Tcpip\..\{A68B742C-0412-4B9A-9CCF-4455D831AB27}: NameServer = 172.16.1.253
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nodomain.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nodomain.com
0
 
LVL 32

Accepted Solution

by:
Luc Franken earned 350 total points
ID: 11731391
Yep, this is the one bugging you:
O4 - HKLM\..\Run: [winsys.exe] C:\winnt\system32\winsys.exe

To get rid of this one, run hijackthis, tick the checkbox in front of that line and click "fix checked"
Then reboot the computer into safemode and delete C:\winnt\system32\winsys.exe
Afterwards, boot normally again and check if the port is still open.

LucF
0
 

Author Comment

by:brennon
ID: 11731965
I really appreciate all the help on this one.  The only thing bugging me now is that it appears that was a key logger, man oh man.

0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11733197
Glad to help :)

Now, to finally clean up the mess, you'll have to consider changing all passwords (I know it's a lot of work, but better safe than sorry) Also look for strange Credentials on your computer, if you find them, set them disabled, don't delete them. You might be able to track something down if they try to login to it.

LucF
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now