ghost123
asked on
Help with a Hacker/Mass Mailer please
Hi All,
Wonder if you could help!!
We had an out of date symantec corp V10 running on a 2003 sp2 terminal server. This was updated and it found a program x-scan V3.3 installed on it. It dealt with it but whilst checking the system out, I found that the local guest account had been enabled and made a member of administrators & remote desktop users!! I disabled the account, removed the rights and set a secure password (could not delete the user as it is a built in account). Ran a full scan and it came up clean. Installed Windows Defender and after a full scan it says "No unwanted or harmful software detected. Your computer is running normally". Installed baseline security analyzer and it came back as ok bar a few "important" office updates which I didn't download at the time. I changed the administrator password and got all users to reset theirs.
Checked the server the next day and the guest account had been re-enabled with the same permissions!! This time, a task manager showed a disconnected guest session and a program named masssender.exe. Installed programs listed Advance Mass Sender V4.3 as being installed which promptly got removed!! Documents and settings for guest user contains install files for the program and x-scan plus a number of txt files containing email addresses for mass mailing :(
The server is open to RDP connections but it does sit behind a Sonicwall 1260 Firewall that has the comprehensive gateway suite installed (gateway antivirus, antispyware and intrusion prevention)!!!
The security log on the server shows these entries
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 28/05/2008
Time: 11:27:47
User: TS2K3\Guest
Computer: TS2K3
Description:
Successful Logon:
User Name: Guest
Domain: TS2K3
Logon ID: (0x0,0x22F7DF3)
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: TS2K3
Logon GUID: -
Caller User Name: TS2K3$
Caller Domain: domainname
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 3608
Transited Services: -
Source Network Address: 89.136.75.36
Source Port: 15762
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
I've reported the Ip to the ISP via their abuse@ email.
I can clean the server up again and I will be placing a deny rule for that IP on the firewall but can anyone suggest how he is getting in if all my scans are coming up clean?
Thanks in advance
Wonder if you could help!!
We had an out of date symantec corp V10 running on a 2003 sp2 terminal server. This was updated and it found a program x-scan V3.3 installed on it. It dealt with it but whilst checking the system out, I found that the local guest account had been enabled and made a member of administrators & remote desktop users!! I disabled the account, removed the rights and set a secure password (could not delete the user as it is a built in account). Ran a full scan and it came up clean. Installed Windows Defender and after a full scan it says "No unwanted or harmful software detected. Your computer is running normally". Installed baseline security analyzer and it came back as ok bar a few "important" office updates which I didn't download at the time. I changed the administrator password and got all users to reset theirs.
Checked the server the next day and the guest account had been re-enabled with the same permissions!! This time, a task manager showed a disconnected guest session and a program named masssender.exe. Installed programs listed Advance Mass Sender V4.3 as being installed which promptly got removed!! Documents and settings for guest user contains install files for the program and x-scan plus a number of txt files containing email addresses for mass mailing :(
The server is open to RDP connections but it does sit behind a Sonicwall 1260 Firewall that has the comprehensive gateway suite installed (gateway antivirus, antispyware and intrusion prevention)!!!
The security log on the server shows these entries
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 28/05/2008
Time: 11:27:47
User: TS2K3\Guest
Computer: TS2K3
Description:
Successful Logon:
User Name: Guest
Domain: TS2K3
Logon ID: (0x0,0x22F7DF3)
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: TS2K3
Logon GUID: -
Caller User Name: TS2K3$
Caller Domain: domainname
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 3608
Transited Services: -
Source Network Address: 89.136.75.36
Source Port: 15762
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
I've reported the Ip to the ISP via their abuse@ email.
I can clean the server up again and I will be placing a deny rule for that IP on the firewall but can anyone suggest how he is getting in if all my scans are coming up clean?
Thanks in advance
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the tip on renaming the guest account
ASKER
I thinks its a case of Symantec corp striking again :(
I have done an online scan with F-Secure and it has found the following viruses in the doc settings guest folder
Trojan-Clicker.HTML.IFrame
Trojan-Clicker.HTML.IFrame
Trojan-Clicker.JS.Agent.h (virus)
Trojan-Downloader.JS.Psyme
It says it cleared them but I am scanning again!