Solved

Possible Compromised Server

Posted on 2008-10-04
5
454 Views
Last Modified: 2010-04-19
I have found several accounts randomly popping up in ADUC on one of my managed SBS 2003 box - I have changed the p/w & disabled these accounts (or deleted them if I know they are bogus). Also, lately this server has had strange operational problems, and is also having trouble sending mail to certain domains, so I fear that the box may be compromised and/or has been turned into a zombie! :-(

Question: Does anybody have any good (and free) tools I could use to determine if one of my servers has been compromised and/or is being controlled by an "outside" party?

Thanks,
Brian
0
Comment
Question by:ethernet69
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 3

Expert Comment

by:mike_hale
ID: 22643796
There's a few ways.

One way is to perform an nmap scan on your server to see which ports are open.  You'll also want to see if your server is listed in any spam databases.  Go to:  http://www.dnsbl.info/ and type in the public IP of your mail server.  

You'll also want to check, immediately, which accounts have membership in ANY of your admin groups, and verify that they are supposed to be there.  Then, reset the passwords for those accounts and ensure you follow good password practices.  

Beyond that, also make sure you've got good, up to date anti-virus installed on the server, and run it.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 22644467
If accounts are being created and you are sure it was no other admin, your server is compromised, period. Restore it from a clean backup. I would not trust anything else.
0
 
LVL 1

Expert Comment

by:Eidron1980
ID: 22644723
The server sounds compromised; probably one or more of your clients aswell. I will assume that you have a up-to-date anti-virus and firewall enabled on the server; which means that the backdoor or whatever came via one of the clients.

Save data on the server, scan it offline, reinstall from scratch. keep all clients offline. Then offline-scan your clients to determine the source and then connect clients and server to the network.

There is no need to reinstall, fix, scan before you know what happend and how; but to determine this keep the system offline (not on net) to prevent further damage to systems and data.
0
 
LVL 4

Expert Comment

by:placebo69a
ID: 22645230
Are you the only person maintaining this server? Some of my clients install application servers on their SBS and the application support people usually get the password out of them and start creating user accounts etc. Maybe you should check with your client who has access to the password or at the very least change it regularly.
Regarding not being able to send email to certain domains. This could mean somehow the mail server has been blacklisted. This happens when spam gets sent from the server to one of many many trap-mailboxes out there or when enough people have been reported as spamming from the mail server. If you are sure nobody is spamming from your mail server you can go here to test if your mail server has been blacklisted. Just put in your client's real ip address and hit enter. If you're not sure what the ip is log on to the server's console and visit this website. If you are blacklisted the good people who ran the test for you also offer to help getting you unlisted on their website.
Let me know if this helps. :)
0
 
LVL 38

Accepted Solution

by:
ChiefIT earned 500 total points
ID: 22645997
Most likely these issues are not corelated. To gain front end access to a machine, they have to go through firewalls and hack kerberos authentication and do this while not being detected by a AV program.

To do this is near impossible for a master hacker. Kerberos is a very strong authentication protocol in comparison to LMhash and NTLMhash. Capitalization matters, Kerberos can use special charactors and unlike NTLMhas and LMhash, a hacker has to hack each individual charactor of the password.

The only effective means to do this is to put a keylogger and trojan horse on your computer to monitor your keystrokes. With an up-to-date AV program, that's near impossible. To brute force hack out the password is a waste of time for a spammer. They have more "productive" means to hose you up.
_______________________________________________________________________________
Though I do agree you might be blacklisted, and that is why you are not getting mails in<->out as you should, I don't think your operational problems are related. Most likely this blacklist comes from a comprimised open relay agent for mail, (A spammer's gold mine).
_____________________________________________________________________________
A while back I deleted Users in ADUC that I felt don't exist. One of them was a built in account for Terminal services. The username was called TSinternetuser.  This account was needed for terminal services. What a mistake that was. So, be careful on what you delete as far as usernames and passwords. Problems with email and operations could easily come from deleting the built in "User" accounts for services, like terminal services. If you remember what user accounts you already delted, you might want to post those here.

NOTE: (One of these below issues is where I think your problems lie)
Another issue that could cause both problems is intermittent communications on the NIC. There are things that can cause intermittent comms. One is SP1 on the machine. If you are running SP1, then you should consider upgrading to SP2. A second thing that causes intermittent comms on the server is the preferred DNS server list. Make sure you only have your "internal" DNS servers listed as your preferred DNS server. DO NOT, use the gateway/router as a preferred DNS server. Gateway/routers don't hold the SRV records you need to communicate with AD.
_____________________________________________________________________________
Now, on to checking for malware and help fix your operational problems:

Well, lets start by checking for trojans and keyloggers and determine if you had a "strong" password for the Mail administrator/domain admin. That will nix the possibility that you had a brute force attack on your Server. To do so, I like to check for running processes in the background. There is a free executable program that is perfect for this. It is called Hijackthis. This lists all processes running in the background and you can paste that on a website to see how viewers in the past have rated each process. The reason I like this program so much is because it is an executable that does not interfere with your installed AV and AS programs.

Run a Hijackthis and post it on this website:
**Hijack this download site:
http://www.download.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html
**Then, you can copy and past your results on this page to evaluate it automatically:
http://www.hijackthis.de/index.php?langselect=english#anl

For performance:
If you are using SP1, consider updating to SP2.
Check your preferred DNS servers on the NICs. For DHCP clients go to DHCP snaping and expand that snapin until you see a folder called "Scope Options" Open that up and make sure that your Microsoft DNS servers are listed as DNS servers, (NO gateways/routers or any other nodes). On the router, make sure the list of DNS servers is your DNS server. On Fixed IP NICs, go to Network connection>>Properties>>TCP/IP>>properties>>and remove any preferred or alternate DNS servers that are not your DNS servers.



0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question