Intrusion on Windows server  2003  Advanced Mass Sender

Posted on 2011-03-21
Medium Priority
Last Modified: 2012-05-11
Server 2002 R2 fully patched, running as DC
Running IIS
Firewall is opened on port 80 and 3389 (For remote Desktop).
Nod32 antivirus

Yesterday I discovered that someone from outside had access to our 2003-server controlling our AD.
1) They have created 2 new admin-users (administrador and sysadmin)
2) Changed the PW for Administrator, so I couldn't logon.
3) Installed the application "Advanced Mass Sender", like this topic:

I'm the only Person with Admin-rights to the server, and surely the only one who knows the password.

I don't know how this has happened, has anyone else same expeiences ?

I'm really afraid og the next move from the Intruders,
hope You can suggest som good steps to perform.
Question by:olefisk
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 22

Expert Comment

ID: 35180505
For port 80, do you have any website or web application?

Does it use SQL Server as a database?

Maybe they hacked via SQL injection (google it - lots of information).

Author Comment

ID: 35180708
Thanks for the prompt answer

The web-application only use static access-databases, but Sql-server is installed for Backup Exec, that's the only App using SQL.

Expert Comment

ID: 35188269
Trying to do this after the fact is tricky... SQL injection is possible - but with RDP port open to the world, a simple brute-force attack is also a possible candidate.

What do you want to do here? If you want to find out who did it, you may well be disappointed unless it was an "insider"; if you just want to prevent it happening again you will find plenty of suggestions here!

Remember that if you want to investigate, you don't want to delete or change anything on the system, for example knowing what time the rogue accounts were created gives a timeframe.

Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!


Author Comment

ID: 35188394
Hi Hapexamendios
Thanks for Your reply.
I know the Time-interval (20/3 between 00:00 and 00:16 AM. It was when the admins were created. The App was installed around 06:00AM).

I guess I miss a Link to "... suggestions here".

Thanks in Advance

Expert Comment

ID: 35189396
Ah - by "suggestions here" I mean on this site :)

I guess you want to investigate, then? I can understand that.

Before we start, be advised that it's possible you'll now realise some forms of logging required to back-track here are not enabled. If that is the case you'll need to put it down to experience, enable the needed logging - and then if it happens again you shoudl be in a better position.

First off, are there any "success" audits for logons to the server just prior to the creation of these accounts? If so, we will try to use the tool "eventcombNT.exe" (from Microsoft) to establish the source IP address that logon came from. As such, back up your Event Logs now to make sure they don't get overwritten.
(Information on where the connection originated might also appear in your firewall logs, if you can cross-reference the time - but this depends on where the illicit connection came from, and whether the connection would have passed through your firewall.)

If there are no "Success" audit logs, there can be two causes: auditing odf logon events is not enabled OR the attack involved exploiting an existing logon such as the SYSTEM account, meaning no new logon would be generated.

To check if auditing is enabled, go to Start >> Run and type "rsop.msc", then hit Enter. You'll get the Resultant Set of Policy for the computer.
Expand Computer Configuration>>Windows Settings>>Security Settings>>Local Policies>>Audit Policy
Look at what is enabled for "Audit account logon events" and "Audit logon events". If the values are not to your liking, you'll need to determine which of your domain's Group Policy Objects you would like to change this setting in. (I'd suggest the "Default Domain Controllers" policy if you have a small uncomplicated domain, but this is a decision for yourself really.)

For the purpose of what we're doing here, you would want "Success" and "Failure" both ticked, for both "...account logon" and "...logon..." events. Remember that to do this, you'll need to increase the default size of your Security Event Log. I suggest changing the size using the same Group Policy Object as for enabling auditing. Mine are set to 100 MB in some cases, because of the amount of events. This is to make sure you can actually track back for a reasonable amount of time in the event of such incidents.

There's much more, but to save overloading you with superfluous steps, could you verify whetehr you can see any events for a suspicious logon prior to rogue account creation, and let me know?


Accepted Solution

olefisk earned 0 total points
ID: 35213172
Hi Hapexamendios

Thanks for Your advices, have helped me a bit further:

Looking through the data I found the following:
1) administrator logged in from an external Address in Ghana:
2) administrator password changed
3) User administrador and sysadmin created and applied to admin-group

Have then installed Wireshark to check the network-traffic, as it seemed to be a lot going on on the network-card.
A) Lot of traffic on port 3389 from an unknown external IP-Address in Norway, but can't see any user logged in.
B) Have disabled the Remote desktop Connection
C) Traffic then OK, only internal traffic.

Hope this will give You the ability to help me further
Thanks in Advance

LVL 27

Expert Comment

ID: 36283901
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses
Course of the Month15 days, 8 hours left to enroll

741 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question