[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Possible Compromised Server

Posted on 2008-10-04
5
Medium Priority
?
466 Views
Last Modified: 2010-04-19
I have found several accounts randomly popping up in ADUC on one of my managed SBS 2003 box - I have changed the p/w & disabled these accounts (or deleted them if I know they are bogus). Also, lately this server has had strange operational problems, and is also having trouble sending mail to certain domains, so I fear that the box may be compromised and/or has been turned into a zombie! :-(

Question: Does anybody have any good (and free) tools I could use to determine if one of my servers has been compromised and/or is being controlled by an "outside" party?

Thanks,
Brian
0
Comment
Question by:ethernet69
5 Comments
 
LVL 3

Expert Comment

by:mike_hale
ID: 22643796
There's a few ways.

One way is to perform an nmap scan on your server to see which ports are open.  You'll also want to see if your server is listed in any spam databases.  Go to:  http://www.dnsbl.info/ and type in the public IP of your mail server.  

You'll also want to check, immediately, which accounts have membership in ANY of your admin groups, and verify that they are supposed to be there.  Then, reset the passwords for those accounts and ensure you follow good password practices.  

Beyond that, also make sure you've got good, up to date anti-virus installed on the server, and run it.
0
 
LVL 57

Expert Comment

by:McKnife
ID: 22644467
If accounts are being created and you are sure it was no other admin, your server is compromised, period. Restore it from a clean backup. I would not trust anything else.
0
 
LVL 1

Expert Comment

by:Eidron1980
ID: 22644723
The server sounds compromised; probably one or more of your clients aswell. I will assume that you have a up-to-date anti-virus and firewall enabled on the server; which means that the backdoor or whatever came via one of the clients.

Save data on the server, scan it offline, reinstall from scratch. keep all clients offline. Then offline-scan your clients to determine the source and then connect clients and server to the network.

There is no need to reinstall, fix, scan before you know what happend and how; but to determine this keep the system offline (not on net) to prevent further damage to systems and data.
0
 
LVL 4

Expert Comment

by:placebo69a
ID: 22645230
Are you the only person maintaining this server? Some of my clients install application servers on their SBS and the application support people usually get the password out of them and start creating user accounts etc. Maybe you should check with your client who has access to the password or at the very least change it regularly.
Regarding not being able to send email to certain domains. This could mean somehow the mail server has been blacklisted. This happens when spam gets sent from the server to one of many many trap-mailboxes out there or when enough people have been reported as spamming from the mail server. If you are sure nobody is spamming from your mail server you can go here to test if your mail server has been blacklisted. Just put in your client's real ip address and hit enter. If you're not sure what the ip is log on to the server's console and visit this website. If you are blacklisted the good people who ran the test for you also offer to help getting you unlisted on their website.
Let me know if this helps. :)
0
 
LVL 39

Accepted Solution

by:
ChiefIT earned 1500 total points
ID: 22645997
Most likely these issues are not corelated. To gain front end access to a machine, they have to go through firewalls and hack kerberos authentication and do this while not being detected by a AV program.

To do this is near impossible for a master hacker. Kerberos is a very strong authentication protocol in comparison to LMhash and NTLMhash. Capitalization matters, Kerberos can use special charactors and unlike NTLMhas and LMhash, a hacker has to hack each individual charactor of the password.

The only effective means to do this is to put a keylogger and trojan horse on your computer to monitor your keystrokes. With an up-to-date AV program, that's near impossible. To brute force hack out the password is a waste of time for a spammer. They have more "productive" means to hose you up.
_______________________________________________________________________________
Though I do agree you might be blacklisted, and that is why you are not getting mails in<->out as you should, I don't think your operational problems are related. Most likely this blacklist comes from a comprimised open relay agent for mail, (A spammer's gold mine).
_____________________________________________________________________________
A while back I deleted Users in ADUC that I felt don't exist. One of them was a built in account for Terminal services. The username was called TSinternetuser.  This account was needed for terminal services. What a mistake that was. So, be careful on what you delete as far as usernames and passwords. Problems with email and operations could easily come from deleting the built in "User" accounts for services, like terminal services. If you remember what user accounts you already delted, you might want to post those here.

NOTE: (One of these below issues is where I think your problems lie)
Another issue that could cause both problems is intermittent communications on the NIC. There are things that can cause intermittent comms. One is SP1 on the machine. If you are running SP1, then you should consider upgrading to SP2. A second thing that causes intermittent comms on the server is the preferred DNS server list. Make sure you only have your "internal" DNS servers listed as your preferred DNS server. DO NOT, use the gateway/router as a preferred DNS server. Gateway/routers don't hold the SRV records you need to communicate with AD.
_____________________________________________________________________________
Now, on to checking for malware and help fix your operational problems:

Well, lets start by checking for trojans and keyloggers and determine if you had a "strong" password for the Mail administrator/domain admin. That will nix the possibility that you had a brute force attack on your Server. To do so, I like to check for running processes in the background. There is a free executable program that is perfect for this. It is called Hijackthis. This lists all processes running in the background and you can paste that on a website to see how viewers in the past have rated each process. The reason I like this program so much is because it is an executable that does not interfere with your installed AV and AS programs.

Run a Hijackthis and post it on this website:
**Hijack this download site:
http://www.download.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html
**Then, you can copy and past your results on this page to evaluate it automatically:
http://www.hijackthis.de/index.php?langselect=english#anl

For performance:
If you are using SP1, consider updating to SP2.
Check your preferred DNS servers on the NICs. For DHCP clients go to DHCP snaping and expand that snapin until you see a folder called "Scope Options" Open that up and make sure that your Microsoft DNS servers are listed as DNS servers, (NO gateways/routers or any other nodes). On the router, make sure the list of DNS servers is your DNS server. On Fixed IP NICs, go to Network connection>>Properties>>TCP/IP>>properties>>and remove any preferred or alternate DNS servers that are not your DNS servers.



0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question