My Server accused of malicous activity

Hi, I just received the following email and am very concerned. My servers do not send emails of any kind and I'm afraid that I have a virus/spyware or something of the sort and do not want my account disabled. I've already run Malware Bytes and it found nothing. I'm running Windows 2003 and am a newbie to the server arena. What steps should I take?

Thanks!

My name is [...] and I work for Mandiant, a leading information security company.  Mandiant frequently investigates and responds to complex computer security incidents at Fortune 500 companies, including technology, defense, industrial, and other organizations critical to our national security.  During a recent computer investigation we determined that computer trespasser activity directed at a client was initiated from one of ServerPronto’s systems.  
 
As is common in such investigations, we are contacting you to request your assistance in helping to further investigate this incident by allowing Mandiant to lease or purchase the IP address and server associated with the trespasser activity.  The server in question in this case IP address is [...].  Additional information regarding the system and related trespasser activity is as follows:
Earliest Indication:           November 13, 2009
Indicator:                             Malicious File Analysis (iexplore.exe)
 
Mandiant has gained the support and cooperation of over 100 organizations such as ServerPronto in support of complex investigations like this one.  Like their support, your assistance will not only help resolve an ongoing incident, but also to deter future attacks against other organizations.  
 
As is my experience from past investigations, I’m sure you have a number of important questions.  The attached PDF provides a brief overview of Mandiant and our people, which may serve as an introduction.  To answer more detailed questions, I’d suggest we organize a conference call.  At your convenience, could you please provide some dates/times where you would be available to speak with our team regarding this opportunity?    
 
We appreciate your assistance and look forward to hearing from you soon.
khillesAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

khillesAuthor Commented:
Okay, I had sent an email to the person who had contacted my server co-location company to get more details and here is the reply. This seems very strange to me as it seems like they want to use my system as some sort of tracking device. This almost seems like a scam to me...

Thank you for the reply.  One of Mandiant's services is to investigate computer network intrusions.  During a recent client engagement, we identified a malicious file used as a backdoor by the attacker to allow an attacker to remotely access the compromised system.  The backdoors attempted connect to your system.  The attacker has used your system to conduct their network exploitation activities.  This is not a virus or Trojan on your system rather an attacker accesses your system via remote desktop and each instance the connect their tools are brought onto the system, executed to create a listener for the backdoors, and the attacker conducts their actions.  Your AV and spyware checks may find suspicious files however the attacker removes their tools at the end of each session.

 Mandiant has been tracking these attackers for several years against multiple organizations.  The attacker's interest in your system is only as a hop point to attack their ultimate victim.  You may find indications of the attacker's activity in the security event log by reviewing illegitimate remote desktop connections.  We've identified hundreds of the attacker's malware and AV may detect only 24% of the malicious files.

 We are interested in tracking the trespasser, "keep him in our sights", versus having them move one to another hop point similar to your system.  The information gained about the trespasser will help us defend against further attackers and provide other victims a notification, like a neighborhood watch.

 If you find that you're able to assist by allowing us to track the trespasser's activity, we will reasonably compensate you for your assistance.

 If there are any questions, please give me a call or just ask,
0
knightrdCommented:
Definitely doing some checking into this person and their organization.

From a forensics point of view, you want to capture an exact duplicate of the hard drive in order to preserve evidence. Later that image file can be accessed to piece together what happened.

Now there is also the question of how badly your system has been compromised and whether you can really trust what has happened. Often simple malware can just be removed, but there is a difference between a hack attack and malware. Presumably they have full admin control of your system, so it may come down to reloading the system. Depending on how you are setup this may be a lot of work or just a little work.

Let's assume, for now, that you don't want to start from scratch and restore the data. You need to download the Sysinternals free suite of software from:

http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx

Run the RootkitRevealer and allow it to scan. I would also consider looking at some of the other root kit scanners and try to find at least one other one that will work. You might look into some of the utilities listed on:

http://www.antirootkit.com/software/index.htm

Now, there's another useful utility in Sysinternals called "autoruns". Basically what it allows you to do is find anything that is loading automatically and disable it. Essentially you are looking for anything that doesn't belong, it probably would hurt if you tried it in Safe Mode because you can't really trust the server at this point. Even in Safe Mode there's a chance that very sophisticated software could load. I have recently seen this with a client of mine and it was very nasty.

If this is a valid notification and the security company is on the level with you, you MAY be fortunate. It is possible that the attacker may not be aware of certain things they could do to really make your life hell. The problem with this is that assumptions are problems in troubleshooting, much less a security situation. You really want to err on the side of caution in my opinion, at least.

Now there is also the question of how the person gained access to your system. Let's say there are some tools that you identify and remove. Maybe there is even a rootkit that you are able to remove. You need to look at what services were accessible via the firewall/router. Unless there is someone with access to the server using it for web access and local email, the source of the attack would certainly be through Exchange, IIS, DNS, SQL, or some other service that was public facing or accessible to a vendor/contractor.

Have you kept the system patched regularly? If so, it could be something new or as yet unpatched by Microsoft. Everything is suspect at this point. Passwords will need to be reset. You need to research this from multiple angles. The downside of not getting an image of the drive is that you may destroy critical evidence, but on the flip side you may not have the resources to fully handle a forensic investigation.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
astralcomputingCommented:
Pay very close attention to what is going on, this looks like a spear-phishing attack. An attempt to fool you into contacting them and giving them access, where you are directly targeted.

Step ONE is to lookup this company on the web http://www.mandiant.com/ contact them through their published numbers and ask them about this incident.

Support for my suspicion is here:
1. why use the word opportunity: "At your convenience, could you please provide some dates/times where you would be available to speak with our team regarding this opportunity?"
2. This is a strongly compelling high pressure email attempting to force you to comply.
3. If on November 09 they spotted this, why did they wait so many months before contacting you?
4. Notice the verbiage, it seems strange.
5. iexplore.exe is not the tool someone would use to compromise THEIR computers.

Phishing and spear phishing is defined here here http://en.wikipedia.org/wiki/Phishing

Mandiant's published contact information is here. Contact them directly and verify this is a legitimate incident.


HEADQUARTERS: Washington, DC
675 North Washington Street
Suite 210
Alexandria, VA 22314

phone: +1.703.683.3141             +1.703.683.3141      
toll free: 1.800.647.7020             1.800.647.7020      
fax: +1.703.683.2891


Post again if you confirm this is a legitimate incident. You are never required to comply with a private company's request.

If this is not a legitimate incident, contact local law enforcement and advise your staff your company may be the target of a hacker attempting to gain access to computers.

http://www.astralcomputing.net is my website, you can find some good information about IT Security high level overviews there and awareness about phishing and targeted attacks.
0
Redefine Your Security with AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Check out our on-demand webinar to learn more about how AI can help your organization!

knightrdCommented:
Agreed. I wouldn't blindly agree either. The date just indicates the earliest date they've found evidence for. I was also suspicious about them listing iexplore.exe as a tool. That's pretty ridiculous.
0
ChiefITCommented:
Mandiant is a real company. In fact the Government has several contracts with them.

In your case, someone is using their name to pose as a consultant for mandiant.

You might contact the FBI, and put a suspicious fishing scam on their site.

Keep in correspondence with them and ask them to tell you what led them to the conclusion you were infecte. However, DO NOT give out any personal or networking information.

Mandiant has an NIDS Network intrusion detection system for many government lans/wans. SO, it is possible that you can recieve legit email like this. iexplorer is a legit program. So, all signs lead to the conclusion this is a fishing scam to get you to compromise your domain or personal information.

See if others on your domain are getting this same email. If so, your address books for email have been comprimized.

I would realy like to know how they got your email and IP address of the server. Did you post them together on Expert's exchange?
0
B HCommented:
a simple MX record lookup for his domain name would give the ip address...  is there something special about your domain which would make you a special target for something this complex?

do you have government contracts or the propensity to have a wealth of personal/financial info on your servers?

no need to answer those questions here, but, if you do it would make sense to contact the fbi as ChiefIT said, and let them handle it.  you might end up helping to take down a sleeper cell or something
0
B HCommented:
o o o o.... did we ever look at the headers of that email and see where it came from??

if you want you could post the headers here, mask out your personal info... but what we're most concerned with is the bottom "recieved from" line... that tells you what server initiated the send of it.

if the bottom received-from line does in fact belong to mandiant, well, call them it might be legit.  if it belongs to nigeria, well, that's a whole different course of action
0
khillesAuthor Commented:
I can't see the headers, but he did provide a PGP Key Fingerprint key:

PGP Key Fingerprint: BF7D 7D0F A441 7E2B 8E44  9B91 6C37 CF15 9E95 58AD

Anyone have a way of verifying this? I've contact Mandiant via email so we'll see if I get a response.

I'm always paranoid of scams but if this is a scam I have no idea what the benefit is. My server is a web server and I have no Customer information or anything that would be very valuable to anyone. Kevin has asked me to place a Network Sensor on the network so it wouldn't even be something installed on my machine: I'd understand if he emailed a link to an EXE, but would someone really go to the trouble of sending my Colo a malicous device just to take over an IP address? Given the millions of zombie computers out there with high speed internet I really couldn't see the benefit to them.

I can verify that a couple of years ago (on a previous server) I hadn't locked down my FTP and malicous software had been installed so its likely they were able to get my Administrator password.

More thoughts prior to me giving them authorization to ship the device to get installed?

Thanks guys for your help!
0
B HCommented:
well if it's a device, they probably want it to sit between your network and the internet.  it would most likely be configured to scan/record every single packet that passes up or down the wire.  if it's an advanced device, it would be able to man-in-the-middle all your ssl traffic so it can decrypt that too.  with that thing on your network, i wouldn't go to any banking sites or anything else even remotely sensitive

the headers can easily be seen in outlook, for 2003 or older just open the email and click view > options, they will be there
for outlook 2007 open the email and click the little down arrow at the bottom left of the 'options' group on the ribbon bar

all the pgp fingerprint does is verify someone sent it - doesn't necessarily verify the name, company, or anything else... it just points to the public key of someone, not that they're actually using the public key to validate the email was sent from that person

most interesting case here...




0
B HCommented:
Also, our branch offices frequently get calls from people claiming to be from "the helpdesk"... asking about printers... and once they get the model name of the printer, they ship a case of toner or two, and bill us 10x the normal cost.

We've had that same thing happen for toilet paper, flourescent lights, etc...

The people who call are hard to trace, random salespeople with unethical approaches.  "Well we spoke with nancy and she ordered them so, pay up"... when all nancy did was answer questions.

Wonder if your about to "buy" this device.
0
astralcomputingCommented:
1. Verify the incident - You've put in for this, so we wait.
2. Try to verify the security of your network - vulnerability assessment, IDS/IPS logs, etc...

I've never heard of a company that will "reasonably compensate you" for allowing them to track a hacker. Sounds to me like they want to install a back door. I continue to think this is spear-phishing.
0
khillesAuthor Commented:
Guys,

Well, here it is, the official word. I contacted Mandiant support directly by email and included my email communication with Kevin and got the following response:

"I confirmed with Kevin this morning that he did in fact send you this information.

Please let us know if you need anything additional."

Wow, looks like this is legit. I'll be giving them authorization and will have them ship the units to my Colo. Looks like they might help keep and eye on unusual activity and help me tighten security.

Don't know about the compensation, they have said that they'll cover any additional costs that are charged to me so I doubt I'll be profiting on the situation, but that's fine with me.

Thank you all of your help and comments, they've been a big help!
0
khillesAuthor Commented:
Thanks again guys! Since this is a legitimate request and not a scam, I'll be working to tighten security and identify flaws in my setup.
0
B HCommented:
please post back what the result is, if you want... we're on pins and needles, so to speak
0
khillesAuthor Commented:
Will do. It will be interesting to see what happens.
0
astralcomputingCommented:
You're very welcome. Glad to see this was legit. Let us know what happens!
0
khillesAuthor Commented:
A quick update: Mandiant overnighted the equipment (from CA -> FL: bet that wasn't cheap) and my Colo got it installed today and Kevin verified that it was reporting. He says that he'll let me know what they find out in 3 to 4 weeks. I'll update this threat then.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.