?
Solved

How the hell was my Win 2000 server machine hacked?

Posted on 2004-11-09
15
Medium Priority
?
443 Views
Last Modified: 2013-12-04
Hi my name's Andy -  I run www.loveandfriends.com (a UK dating site)

We have a spare server in our datacenter. ip= 217.199.164.143. Rebuilt this 2 weeks ago - formatted hard drive, Win2000 server, fully patched via Windows Update, Sophos Antivirus installed. Shut down all but essential ports (via properties on 'Local Area Connection').

We use IIS (so port 80 ok) , SMTP (port 25), SQL (1433),  pcAnywhere (5631, 5632)  and RADMIN (4899 for remote control)  
...all use strong passwords (so dictionary attack is out)

So absolutely 'pristine' and 'up to date'
THEN I put this on the internet.

2 days later I have a TROJAN on the machine (detected via Sophos) and believe hacker has control. Evidence =  Password changed on RADMIN plus stuff disabled.  

HOW???!!!

Please feel free to throw whatever you want (Hacker tool wise) at  217.199.164.143. It is just a test machine
Hack into it and tell me how it was done so I can protect myself

I'm really alarmed by this - did everything 'by the book' - and yet we're compromised. Really cannot figure how this machine was compromised.
OK we don't have an external firewall on this machine BUT using above precautions I'm amazed it was compromised so quickly.

nb for authentication of who I am please checkout
http://www.loveandfriends.com/testsecurity.asp 
http://217.199.164.143/testsecurity.asp 

...that way you know I'm not some hacker trying to use your expert knowledge to hack this machine.
(as if I was a hacker the above links demonstrate I already have control of these machiens - so no point in making this posting)

Andy
+44 207 937 6263 (provided for authentication also ....our registered offices)

PS I realise Experts Exchange is not for people who want to learn hacking. I trust the moderators will accept this question as a genuine given the authentication credentials I've supplied. I really want to get to the nitty-gritty of this  ...not just general advice like 'maybe get a better firewall' (which I know anyeway) ...hence invitation to throw waht you have at this machine  
0
Comment
Question by:highlander_1969
  • 6
  • 5
  • 3
  • +1
15 Comments
 
LVL 6

Expert Comment

by:mrwebdev
ID: 12539423
Sorry to hear that, that sucks anyway you look at it, have you ever tried the IIS Lockdown tool?
Maybe this can help!

http://www.microsoft.com/downloads/details.aspx?FamilyID=dde9efc0-bb30-47eb-9a61-fd755d23cdec&displaylang=en

Sorry to hear that, hope you get your server working smoothly again soon, best wishes!
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12540588
Please see this....
http://www.microsoft.com/security/bulletins/200411_isa.mspx
Internet Security and Acceleration Server and Proxy Server Update for November 2004
0
 
LVL 8

Accepted Solution

by:
anil_u earned 900 total points
ID: 12542304
After a quck scan on that IP, it seems port 445 is filtered - as in it may be open, you may want to lookup the security issues behind this..

http://www.grc.com/port_445.htm
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:highlander_1969
ID: 12544039
anil_u thanks - I have gone to the "Shileds Up" site (from browser on machine) and done a probe on port 445 (https://www.grc.com/x/portprobe=445). This shows port is in 'Stealth' mode. All other ports (apart from those mentioned on my original posting - 25, 80, etc) are 'closed'.

Have attempted access to 217.199.164.143 via 'Psexec' utility (mentioned in link from your quoted article)  ...it doesn't connect. I believe this is because I have disabled 'Microsoft Client' & 'File and Printer sharing' on this machine (TCP/IP is only allowed protocol). So a straightforward hack using 'PsExec' on 217.199.164.143 is out I believe. Have also tried this from another machine in datacenter LAN (just to make sure it wasn'yt our ISP filtering port 445). This also doesn't connect. 'PsExec' is quite a find - managed to connect to several machines in our office LAN this way - so this tool must be a boon to hackers. Just as well I always disable  'Microsoft Client' & 'File and Printer sharing'  on webservers.

Given NETBIOS isn't installed on this webserver I wonder how come 445 is 'stealth' and everything else is closed. Is 'stealth' a good or a bad thing?
0
 

Author Comment

by:highlander_1969
ID: 12544076
mrwebdev - I will follow your link and get back to you

astaec - Having reviewed you link I believe the webserver does not have 'Proxy server' or 'Security and Accelleration server'  ..just plain IIS
0
 

Author Comment

by:highlander_1969
ID: 12544217
Here is an output from DOS command prompt   Netstat -an

I am afraid I am ignorant as to exactly what this means - i.e. if it shows any vulnerabilities
e.g. how come on the "Shields Up" scan it shows port 135 as closed but below netstat shows it as listening?

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:25             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:443            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1025           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1026           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1030           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1183           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1221           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1223           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1226           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2004           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2063           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2214           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3372           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:5631           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:22222          0.0.0.0:0              LISTENING
  TCP    127.0.0.1:1433         0.0.0.0:0              LISTENING
  TCP    127.0.0.1:2049         127.0.0.1:445          TIME_WAIT
  TCP    127.0.0.1:2433         0.0.0.0:0              LISTENING
  TCP    127.0.0.1:43958        0.0.0.0:0              LISTENING
  TCP    217.199.164.143:139    0.0.0.0:0              LISTENING
  TCP    217.199.164.143:1433   0.0.0.0:0              LISTENING
  TCP    217.199.164.143:1433   70.84.12.114:14903     CLOSE_WAIT
  TCP    217.199.164.143:1433   70.84.12.114:17879     CLOSE_WAIT
  TCP    217.199.164.143:1433   70.84.12.114:33870     CLOSE_WAIT
  TCP    217.199.164.143:1433   70.84.12.114:37886     CLOSE_WAIT
  TCP    217.199.164.143:2020   217.199.171.5:53       TIME_WAIT
  TCP    217.199.164.143:2023   217.199.171.5:53       TIME_WAIT
  TCP    217.199.164.143:2025   217.199.171.5:53       TIME_WAIT
  TCP    217.199.164.143:2028   217.199.171.5:53       TIME_WAIT
  TCP    217.199.164.143:2034   194.73.43.16:25        TIME_WAIT
  TCP    217.199.164.143:2035   217.199.171.5:53       TIME_WAIT
  TCP    217.199.164.143:2038   217.199.171.5:53       TIME_WAIT
  TCP    217.199.164.143:2042   193.22.244.7:25        TIME_WAIT
  TCP    217.199.164.143:2043   217.199.171.5:53       TIME_WAIT
  TCP    217.199.164.143:2045   216.119.106.129:25     TIME_WAIT
  TCP    217.199.164.143:2046   217.199.171.5:53       TIME_WAIT
  TCP    217.199.164.143:2050   217.199.171.5:53       TIME_WAIT
  TCP    217.199.164.143:2054   217.199.171.5:53       TIME_WAIT
  TCP    217.199.164.143:2058   217.199.171.5:53       TIME_WAIT
  TCP    217.199.164.143:2060   217.199.171.5:53       TIME_WAIT
  TCP    217.199.164.143:2063   217.199.164.167:53     SYN_SENT
  TCP    217.199.164.143:2066   212.227.126.149:25     TIME_WAIT
  TCP    217.199.164.143:2433   0.0.0.0:0              LISTENING
  TCP    217.199.164.143:5631   217.35.83.80:33369     ESTABLISHED
  UDP    0.0.0.0:135            *:*                    
  UDP    0.0.0.0:445            *:*                    
  UDP    0.0.0.0:1100           *:*                    
  UDP    0.0.0.0:1184           *:*                    
  UDP    0.0.0.0:1284           *:*                    
  UDP    0.0.0.0:1288           *:*                    
  UDP    0.0.0.0:1434           *:*                    
  UDP    0.0.0.0:3456           *:*                    
  UDP    127.0.0.1:4693         *:*                    
  UDP    217.199.164.143:137    *:*                    
  UDP    217.199.164.143:138    *:*                    
  UDP    217.199.164.143:500    *:*                    
  UDP    217.199.164.143:5632   *:*    
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12544940
I'm not at my system today, but recall a similar issue a while ago here, and they found that this port had two other associated ports that could come to play.  If I find the link, will post.
0
 
LVL 27

Assisted Solution

by:Asta Cu
Asta Cu earned 600 total points
ID: 12544983
0
 
LVL 8

Expert Comment

by:anil_u
ID: 12553561
Hi Andy

Have you used lockdown on IIS, if not I suggest you do.
http://www.microsoft.com/downloads/details.aspx?FamilyID=dde9efc0-bb30-47eb-9a61-fd755d23cdec&displaylang=en

Webserver are first things hackers look for, purly because a lot of companies have them, they are an easy way in and exploits are being relased on the net quicker than patches from microsoft. (I would give you links to these exploits but EE may have an issue with this)
For this reason, no computer is really 100% hacker-proof, if they want to get in, they will.
What you have done is fine, just make sure its updated with latest patches, use auditting to make sure only authenticated users are modifying files. Also use a firewall and monitor IP and where they go on your server. Check the audits regularly etc

For more info on your netstat results have a look at this tutorial
http://www.geocities.com/merijn_bellekom/new/netstatan.html

If I had to guess I would most definatly say that they got in through either IIS or pcAnywhere.
When scanning your IP, I am able to see what you have, this is really bad. Get a firewall and configure it so that I cannot see what you have. If hackers cant see what you have, they wouldnt know what exploits to use to get into your system.

Hope that helps
Anil
0
 

Author Comment

by:highlander_1969
ID: 12558608
Thanks Anil_U ...points will be coming soon I believe (next week). My present thoughts are the bulk to you with sojme to the other guys. This was a difficult question to totally 'crack' ...I suppose it was wishful thinking that someone would go 'I've got control of your server through method 'X'

I have now used lockdown on replacement server.
nb it does many of the things I did manually anyway.

Interesting point about  firewall. At the moment I lockoff all extraneous ports BUT hackers know they're locked off - so can go hell for leather on 80 which is open.

nb how do I use 'auditing'?
..


0
 
LVL 8

Expert Comment

by:anil_u
ID: 12560896
If you want to get into your own system, download a packet analyser like ethereal
http://www.ethereal.com/
install it on a pc which is on the same subnet as your pcanywhere pc, start to capture packets(prosmiscous mode), logon to pcanywhere from a remote pc, username and password packets will be captured as they go to the relevant sockets (ip and ports) and because PCAnywhere uses weak encryption, they can be decoded fairly easily
For more info see
http://www.securityfocus.com/archive/88/54227
(read from the bottom upwards)

About auditing/monitoring etc, lookup IDS (intrusion detection systems)
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12561095
Not sure this is helplful to you, but perhaps may add some insight.
The Microsoft Security Risk Self-Assessment for Midsize Organizations
http://securityguidance.com/
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12626378
Thank you, happy we could be of some help to you here.
Asta
0
 

Author Comment

by:highlander_1969
ID: 12626881
Thank you to all who contributed to this. I have learnt much more about security in the last couple of weeks from following links you have suggested.

Things learnt:
 
Netbios (uses port 445 even though I thought this port was disabled via TCP/IP LAN adaptor setting in Network Connections!) has many security issues - so I have actively disabled it

I am considering buying a Watchguard Firebox X1000 Firewall  ...amongst other things it has some ddos protection built in (for the worst case scenario of when hackers get hacked off with me)

Anti-virus programs do not detect all trojans. I have read many reviews and TDS-3 Trojan hunter program seems best - have now got this

Also have installed anti-spyware tool... Spybot - Search and Destroy

IIS lockdown - knew about this already - but it is a timely reminder to run this more than once as some components I use tamper with IIS settings on install

PCAnywhere also has options for higher strength encryption. I will use these

Have a great weekend guys!

Andy
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12627093
Thanks, Andy.  I've been very impressed with the use of a router with HW firewall, along with XP SP2 and all its protections as well as AdAware SE Pro (configured to do deep scanning, including archives and including the HOSTS file; and checking for cookies that aren't considered problems, but intrusionary anyway IMHO) and always keep it updated.  With  the most current version of SE Pro comes AdWatch, which I also like.  Then with Spybot S&D, always keep it updated and use the Immunize function to block malware/sypware and malicious BHOs; and after updates, use the Immunize function as well to ensure I'm blocking all the uglies out there and recommend that highly).  Needless to say, in any OS which has System Restore function, always turn that off prior to doing cleanups so the problems aren't reintroduced.  Prior to running spyware cleanups, always keep current and updated Virus Definition files with a good Viruscan program and scan often.  These days, it really pays to be extra careful.  Unfortunately, the creative minds out here aren't always geared to 'helping' humanity.  Updated versions of HijackThis to run a log and analyze results for free here:
http://www.hijackthis.de/index.php?langselect=english
.... is a nice cross-check, in my humble opinion.
Best wishes to you,
":0) Asta
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
Screencast - Getting to Know the Pipeline
Suggested Courses
Course of the Month13 days, 15 hours left to enroll

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question