Solved

Possible Compromised Server

Posted on 2008-10-04
5
446 Views
Last Modified: 2010-04-19
I have found several accounts randomly popping up in ADUC on one of my managed SBS 2003 box - I have changed the p/w & disabled these accounts (or deleted them if I know they are bogus). Also, lately this server has had strange operational problems, and is also having trouble sending mail to certain domains, so I fear that the box may be compromised and/or has been turned into a zombie! :-(

Question: Does anybody have any good (and free) tools I could use to determine if one of my servers has been compromised and/or is being controlled by an "outside" party?

Thanks,
Brian
0
Comment
Question by:ethernet69
5 Comments
 
LVL 3

Expert Comment

by:mike_hale
ID: 22643796
There's a few ways.

One way is to perform an nmap scan on your server to see which ports are open.  You'll also want to see if your server is listed in any spam databases.  Go to:  http://www.dnsbl.info/ and type in the public IP of your mail server.  

You'll also want to check, immediately, which accounts have membership in ANY of your admin groups, and verify that they are supposed to be there.  Then, reset the passwords for those accounts and ensure you follow good password practices.  

Beyond that, also make sure you've got good, up to date anti-virus installed on the server, and run it.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 22644467
If accounts are being created and you are sure it was no other admin, your server is compromised, period. Restore it from a clean backup. I would not trust anything else.
0
 
LVL 1

Expert Comment

by:Eidron1980
ID: 22644723
The server sounds compromised; probably one or more of your clients aswell. I will assume that you have a up-to-date anti-virus and firewall enabled on the server; which means that the backdoor or whatever came via one of the clients.

Save data on the server, scan it offline, reinstall from scratch. keep all clients offline. Then offline-scan your clients to determine the source and then connect clients and server to the network.

There is no need to reinstall, fix, scan before you know what happend and how; but to determine this keep the system offline (not on net) to prevent further damage to systems and data.
0
 
LVL 4

Expert Comment

by:placebo69a
ID: 22645230
Are you the only person maintaining this server? Some of my clients install application servers on their SBS and the application support people usually get the password out of them and start creating user accounts etc. Maybe you should check with your client who has access to the password or at the very least change it regularly.
Regarding not being able to send email to certain domains. This could mean somehow the mail server has been blacklisted. This happens when spam gets sent from the server to one of many many trap-mailboxes out there or when enough people have been reported as spamming from the mail server. If you are sure nobody is spamming from your mail server you can go here to test if your mail server has been blacklisted. Just put in your client's real ip address and hit enter. If you're not sure what the ip is log on to the server's console and visit this website. If you are blacklisted the good people who ran the test for you also offer to help getting you unlisted on their website.
Let me know if this helps. :)
0
 
LVL 38

Accepted Solution

by:
ChiefIT earned 500 total points
ID: 22645997
Most likely these issues are not corelated. To gain front end access to a machine, they have to go through firewalls and hack kerberos authentication and do this while not being detected by a AV program.

To do this is near impossible for a master hacker. Kerberos is a very strong authentication protocol in comparison to LMhash and NTLMhash. Capitalization matters, Kerberos can use special charactors and unlike NTLMhas and LMhash, a hacker has to hack each individual charactor of the password.

The only effective means to do this is to put a keylogger and trojan horse on your computer to monitor your keystrokes. With an up-to-date AV program, that's near impossible. To brute force hack out the password is a waste of time for a spammer. They have more "productive" means to hose you up.
_______________________________________________________________________________
Though I do agree you might be blacklisted, and that is why you are not getting mails in<->out as you should, I don't think your operational problems are related. Most likely this blacklist comes from a comprimised open relay agent for mail, (A spammer's gold mine).
_____________________________________________________________________________
A while back I deleted Users in ADUC that I felt don't exist. One of them was a built in account for Terminal services. The username was called TSinternetuser.  This account was needed for terminal services. What a mistake that was. So, be careful on what you delete as far as usernames and passwords. Problems with email and operations could easily come from deleting the built in "User" accounts for services, like terminal services. If you remember what user accounts you already delted, you might want to post those here.

NOTE: (One of these below issues is where I think your problems lie)
Another issue that could cause both problems is intermittent communications on the NIC. There are things that can cause intermittent comms. One is SP1 on the machine. If you are running SP1, then you should consider upgrading to SP2. A second thing that causes intermittent comms on the server is the preferred DNS server list. Make sure you only have your "internal" DNS servers listed as your preferred DNS server. DO NOT, use the gateway/router as a preferred DNS server. Gateway/routers don't hold the SRV records you need to communicate with AD.
_____________________________________________________________________________
Now, on to checking for malware and help fix your operational problems:

Well, lets start by checking for trojans and keyloggers and determine if you had a "strong" password for the Mail administrator/domain admin. That will nix the possibility that you had a brute force attack on your Server. To do so, I like to check for running processes in the background. There is a free executable program that is perfect for this. It is called Hijackthis. This lists all processes running in the background and you can paste that on a website to see how viewers in the past have rated each process. The reason I like this program so much is because it is an executable that does not interfere with your installed AV and AS programs.

Run a Hijackthis and post it on this website:
**Hijack this download site:
http://www.download.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html
**Then, you can copy and past your results on this page to evaluate it automatically:
http://www.hijackthis.de/index.php?langselect=english#anl

For performance:
If you are using SP1, consider updating to SP2.
Check your preferred DNS servers on the NICs. For DHCP clients go to DHCP snaping and expand that snapin until you see a folder called "Scope Options" Open that up and make sure that your Microsoft DNS servers are listed as DNS servers, (NO gateways/routers or any other nodes). On the router, make sure the list of DNS servers is your DNS server. On Fixed IP NICs, go to Network connection>>Properties>>TCP/IP>>properties>>and remove any preferred or alternate DNS servers that are not your DNS servers.



0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

The SBS 2011 release date (RTM) is supposed to be around Christmas, 2011.  This article is a compilation of my notes -- things I have learned first hand.  The items are in a rather random order, but I think this list covers most of what is new and d…
Because virtualization becomes more and more common, and, with Microsoft Hyper-V included in Windows Server at no additional costs, and, most server hardware nowadays is more than capable of running a physical Small Business Server (SBS) 2008 or 201…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now