troubleshooting Question

Help with a Hacker/Mass Mailer please

Avatar of ghost123
ghost123 asked on
Anti-Virus AppsSecurityWindows Server 2003
3 Comments1 Solution2370 ViewsLast Modified:
Hi All,

Wonder if you could help!!

We had an out of date symantec corp V10 running on a 2003 sp2 terminal server. This was updated and it found a program x-scan V3.3 installed on it. It dealt with it but whilst checking the system out, I found that the local guest account had been enabled and made a member of administrators & remote desktop users!! I disabled the account, removed the rights and set a secure password (could not delete the user as it is a built in account). Ran a full scan and it came up clean. Installed Windows Defender and after a full scan it says "No unwanted or harmful software detected. Your computer is running normally". Installed baseline security analyzer and it came back as ok bar a few "important" office updates which I didn't download at the time. I changed the administrator password and got all users to reset theirs.

Checked the server the next day and the guest account had been re-enabled with the same permissions!! This time, a task manager showed a disconnected guest session and a program named masssender.exe. Installed programs listed Advance Mass Sender V4.3 as being installed which promptly got removed!! Documents and settings for guest user contains install files for the program and x-scan plus a number of txt files containing email addresses for mass mailing :(

The server is open to RDP connections but it does sit behind a Sonicwall 1260 Firewall that has the comprehensive gateway suite installed (gateway antivirus, antispyware and intrusion prevention)!!!

The security log on the server shows these entries

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      528
Date:            28/05/2008
Time:            11:27:47
User:            TS2K3\Guest
Computer:      TS2K3
Description:
Successful Logon:
       User Name:      Guest
       Domain:            TS2K3
       Logon ID:            (0x0,0x22F7DF3)
       Logon Type:      10
       Logon Process:      User32  
       Authentication Package:      Negotiate
       Workstation Name:      TS2K3
       Logon GUID:      -
       Caller User Name:      TS2K3$
       Caller Domain:      domainname
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID: 3608
       Transited Services: -
       Source Network Address:      89.136.75.36
       Source Port:      15762

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I've reported the Ip to the ISP via their abuse@ email.

I can clean the server up again and I will be placing a deny rule for that IP on the firewall but can anyone suggest how he is getting in if all my scans are coming up clean?

Thanks in advance
ASKER CERTIFIED SOLUTION
phlatline

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 3 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 3 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros