Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Windows 2003 Server hacked.   How did they do it?  How to fix?

Posted on 2007-07-20
13
Medium Priority
?
3,531 Views
Last Modified: 2013-12-04
Someone is in my Windows 2003 Server.   It looks like they've uploaded about 20G of music files.  There are folders like Drum & Bass, Techno, Hip-Hop, Acid from the root directory.

Any idea how they got in, and how fix this?  

Thanks!
Bob


My HijackThis log is below:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:10:23 AM, on 7/20/2007
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\tcpsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\IIS Resources\DebugDiag\DbgSVC.Exe
C:\WINDOWS\System32\dns.exe
C:\Program Files\SWsoft\Plesk\DrWeb\drwebcom.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\SWsoft\Plesk\kav\kavsvc.exe
C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\BIN\MELSC.EXE
C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\BIN\MEMTA.EXE
C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\BIN\MEPOC.EXE
C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\BIN\MEPOPS.EXE
C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\BIN\MESMTPC.EXE
C:\PROGRA~1\MICROS~1\MSSQL$~1\binn\sqlservr.exe
C:\Program Files\SWsoft\Plesk\Databases\MSDE\MSSQL\Binn\sqlservr.exe
C:\Program Files\SWsoft\Plesk\Databases\MySQL\bin\mysqld-nt.exe
C:\Program Files\SWsoft\Plesk\dns\bin\named.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Persits Software\AspEmail\BIN\EmailAgent.exe
C:\Program Files\SWsoft\Plesk\MySQL\bin\mysqld-nt.exe
C:\Program Files\SWsoft\Plesk\admin\bin\plesksrv.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\terwain.exe
C:\Program Files\SWsoft\Plesk\Additional\Tomcat\bin\tomcat5.exe
C:\WINDOWS\system32\wclntmgr.exe
C:\WINDOWS\System32\wins.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\SWsoft\Plesk\admin\bin\PopPassD.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SWsoft\Plesk\admin\bin\Apache.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SWsoft\Plesk\admin\bin\traymonitor.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Documents and Settings\rlsorrells\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://xxx-xxx-xx-xx:9370/fpadmdll.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2099054881-618549740-4048128914-1004\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'psaadm')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Plesk Services Monitor.lnk = C:\Program Files\SWsoft\Plesk\admin\bin\traymonitor.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - ESC Trusted Zone: http://www.eset.com
O15 - ESC Trusted Zone: http://www.grc.com
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://apache.cs.utah.edu
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{72D26AB3-7FA3-4658-8DD1-7417923A9004}: NameServer = 216.55.144.5,216.55.128.7
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: DrWebCom - Doctor Web Ltd. - C:\Program Files\SWsoft\Plesk\DrWeb\drwebcom.exe
O23 - Service: Kaspersky Antivirus TM (kavsvc) - SWsoft, Inc - C:\Program Files\SWsoft\Plesk\kav\kavsvc.exe
O23 - Service: MailEnable List Connector (MELCS) - Unknown owner - C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\BIN\MELSC.EXE
O23 - Service: MailEnable Mail Transfer Agent (MEMTAS) - Unknown owner - C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\BIN\MEMTA.EXE
O23 - Service: MailEnable Postoffice Connector (MEPOCS) - Unknown owner - C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\BIN\MEPOC.EXE
O23 - Service: MailEnable POP Service (MEPOPS) - Unknown owner - C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\BIN\MEPOPS.EXE
O23 - Service: MailEnable SMTP Connector (MESMTPCS) - Unknown owner - C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\BIN\MESMTPC.EXE
O23 - Service: MySQL Server (MySQL) - Unknown owner - C:\Program Files\SWsoft\Plesk\Databases\MySQL\bin\mysqld-nt.exe
O23 - Service: Plesk Name Server (named) - Unknown owner - C:\Program Files\SWsoft\Plesk\dns\bin\named.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Persits Software EmailAgent - Persits Software, Inc. - C:\Program Files\Persits Software\AspEmail\BIN\EmailAgent.exe
O23 - Service: PleskControlPanel - Apache Software Foundation - C:\Program Files\SWsoft\Plesk\admin\bin\Apache.exe
O23 - Service: Plesk SQL Server (PleskSQLServer) - Unknown owner - C:\Program Files\SWsoft\Plesk\MySQL\bin\mysqld-nt.exe
O23 - Service: Plesk Management Service (plesksrv) - SWsoft, Inc - C:\Program Files\SWsoft\Plesk\admin\bin\plesksrv.exe
O23 - Service: Plesk PopPass Service (PopPassD) - SWsoft, Inc - C:\Program Files\SWsoft\Plesk\admin\bin\PopPassD.exe
O23 - Service: Plesk SSL Wrapper Service (stunnel) - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\bin\stunnel.exe
O23 - Service: TCP/IP NetBIOS (TCP-IP) - Unknown owner - C:\WINDOWS\system32\tcpsrv.exe
O23 - Service: Terman WSM Server (Terman) - Unknown owner - C:\WINDOWS\system32\terwain.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Program Files\SWsoft\Plesk\Additional\Tomcat\bin\tomcat5.exe

--
End of file - 8360 bytes
0
Comment
Question by:rsorrells
  • 4
  • 4
  • 4
  • +1
13 Comments
 
LVL 9

Expert Comment

by:Brugh
ID: 19530487
The first thing you do is lock down you Access to that server from the outside and from the inside out.  Remove the Default gateway.
Unplugg the Network Cable.
Remove all the files that were put on there.
Run Anti-virus checks, spyware checks, windows Defender.


They got in probabaly because the server is sitting behind a very unsecure firewall.  Do you allow HTTP, HTTPS, SMTP, ICMP, RDP or any other type of traffic through yoru firewall.

Do you have your server in your DMZ?


0
 
LVL 88

Assisted Solution

by:rindi
rindi earned 796 total points
ID: 19530523
How?

First look in your company, maybe people have admin access? Or the server room isn't locked, the admin is always logged on? You have used a weak password that is easily guessed?

If the server is used as webserver, you might not have locked it down enough? Anonymous accounts should only be able to have read access...

You might not have applied all patches? Also according to hijackthis you aren't using a firewall, or it is an unknown one!

If you know and trust "tscupgrd.exe", then leave it, if not, use hijackthis to remove all those entries.

The same applies for thess:

O17 - HKLM\System\CCS\Services\Tcpip\..\{72D26AB3-7FA3-4658-8DD1-7417923A9004}: NameServer = 216.55.144.5,216.55.128.7
O23 - Service: TCP/IP NetBIOS (TCP-IP) - Unknown owner - C:\WINDOWS\system32\tcpsrv.exe
O23 - Service: Terman WSM Server (Terman) - Unknown owner - C:\WINDOWS\system32\terwain.exe

Remove this:

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://xxx-xxx-xx-xx:9370/fpadmdll.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)


0
 

Author Comment

by:rsorrells
ID: 19530667
The server is a leased server that's across the country, so I can't sever my own link to the server.  I'll try running the programs that you mentioned.  Its running Windows 2003 Server, and the latest version of Plesk.  It hosts about 20 web sites.  The firewall is the built-in Windows firewall.    I'm allowing remote desktop, MS SQL 2000 (with limited scope).   Http and https are allowed in.   With Plesk, it uses several Linux-oriented programs such as Apache, MY SQL, etc.  

Each of these music files created have shortcuts pointing to here:
C:\recycler\s-1-5-21-3732111762-1530546613-1416731192-501\dc14\backup\3\Prodigy
This contains the master music directory.

I'm wondering if there's some good information in the files or folders as to which account created them?

Bob
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 

Author Comment

by:rsorrells
ID: 19530699
Thanks rindi, good suggestions.   I will remove those, and get with the hosting company for help also.
Bob
0
 
LVL 88

Expert Comment

by:rindi
ID: 19530789
You probably won't find much info about "who". It looks as if the windows firewall is off, or hijackthis wouldn't have complained. Change your password and use a strong one. Change it often. whenever possible don't use the administrator account when logging on, but rather use an account with limited credentials.
0
 

Author Comment

by:rsorrells
ID: 19531126
I'm wondering if there's any services or programs that can scan for vulnerabilities?  I've used Hackersafe before, but haven't in about 2 years.  

Thanks,
Bob
0
 
LVL 88

Expert Comment

by:rindi
ID: 19531216
Download the superantispyware software, it is very good for that.

http://www.superantispyware.com/

Often it also helps to scan the pc with an online scanner, lice trendmicro's housecall.

http://housecall.trendmicro.com/
0
 
LVL 32

Accepted Solution

by:
r-k earned 1204 total points
ID: 19531439
This is not all that unusual, and you should be able to get it cleaned up in short order.

Step-1 should to get rid of the current malware and backdoors that may have been installed. I will review your HJT log in a second and make some suggestions, but here is a list of things you should do after the immediate problem is fixed:

Step-2 (after some cleanup)

(1) Download and run MBSA from http://www.microsoft.com/technet/security/tools/mbsahome.mspx and follow as many of the suggestions as possible. Specifically, install any recommended updates.

(2) Examine your list of usernames and check if the hackers created new users that shouldn't be there.

(3) Change all Admin passwords, make them long and hard to break.

(4) Check if any network ports are open that should not be (use TCPview http://www.microsoft.com/technet/sysinternals/Networking/TcpView.mspx).
Also, type "netstat -ab" from a command prompt.

(5) Search for any files created on your system around the time of the original break-in.

(6) Since this is a web server, review any web applications and scripts (asp, php...) that may have known vulnerabilities.
0
 
LVL 32

Assisted Solution

by:r-k
r-k earned 1204 total points
ID: 19531564
rindi already identified most of the bad entries in your HJT log. If those are not things that you installed yourself, clean those up first. I suspect one or more of those is an ftp server being used by the hackers to download/upload music files.
You can also post you HJT log to http://www.hijackthis.de/ and click "Analyze" to get a review. But if you're not sure about something don't disable it but check back here first.

This looks like a fairly straightforward breakin, most likely due to one of two reasons: (a) Password guessing or (b) Exploiting some unpatched vulnerability.

To add to my list of post-cleanup steps, you should set an account lockout policy so an account is locked out after x number of failed attempts.

I also suggest the following:

(1) Download Autoruns from: http://www.microsoft.com/technet/sysinternals/utilities/Autoruns.mspx
(2) Run the program. It lists a bunch of things that start when Windows starts.
(3) From the menu bar, select Options, and uncheck "Include Empty Locations" and "check" "Hide Microsoft Entries"
    Important -> Then click the Refresh button in the toolbar.
(4) This will give you a shorter, more meaningful list.
(5) Use the File -> Save as.. option in Autoruns to save the list to a text file and then cut and paste it here.

Autoruns does have the option to disable startups that you believe to be bad, so you could use it to disable those items you're fairly sure about. You will need to reboot for changes to take effect.

Good plan to save the output of "netstat -ab" before and after cleanup so you can check/compare.


0
 
LVL 88

Expert Comment

by:rindi
ID: 19531600
To do a hijackthis analysis use the http://hijackthis.de/en link, or you'll do an analysis based on german versions of your software, which can give you incorrect results (you can also use the link r-k gave you, then click on the language icon at the top left of your page to get there).
0
 

Author Comment

by:rsorrells
ID: 19536914
I found the root directory and several others had the read/write permission of 'everyone'.   I'm not sure how that got there.   I've fixed it.

One thing that I suspect is a vulnerability in PHP5.  I installed it replacing PHP4 for the Plesk operating system.   I'm sure its not configured securly.  Is there a PHP security scanner for Windows that could help identify if this is the problem?  

Thanks,
Bob
0
 
LVL 32

Expert Comment

by:r-k
ID: 19537327
Sorry, I don't know of an automated PHP security scanner. You probably have to stay on top of news and updates by joining their mailing list, I suspect.

Here are a few PHP security links I ran across that may help:

 http://www.phpadvisory.com/
 http://www.php.net/manual/en/security.php
 http://www.sklar.com/page/article/owasp-top-ten
 http://shiflett.org/php-security.pdf
 
0
 
LVL 32

Expert Comment

by:r-k
ID: 19543043
Thanks and good luck.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Integration Management Part 2
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…
Suggested Courses
Course of the Month10 days, 3 hours left to enroll

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question