Solved

Intrusion on Windows server  2003  Advanced Mass Sender

Posted on 2011-03-21
8
1,078 Views
Last Modified: 2012-05-11
Server 2002 R2 fully patched, running as DC
Running IIS
Firewall is opened on port 80 and 3389 (For remote Desktop).
Nod32 antivirus

Yesterday I discovered that someone from outside had access to our 2003-server controlling our AD.
1) They have created 2 new admin-users (administrador and sysadmin)
2) Changed the PW for Administrator, so I couldn't logon.
3) Installed the application "Advanced Mass Sender", like this topic:
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_21805577.html?sfQueryTermInfo=1+10+30+advanc+mass+sender

I'm the only Person with Admin-rights to the server, and surely the only one who knows the password.

I don't know how this has happened, has anyone else same expeiences ?

I'm really afraid og the next move from the Intruders,
hope You can suggest som good steps to perform.
0
Comment
Question by:olefisk
8 Comments
 
LVL 22

Expert Comment

by:chakko
ID: 35180505
For port 80, do you have any website or web application?

Does it use SQL Server as a database?

Maybe they hacked via SQL injection (google it - lots of information).
0
 

Author Comment

by:olefisk
ID: 35180708
Thanks for the prompt answer

The web-application only use static access-databases, but Sql-server is installed for Backup Exec, that's the only App using SQL.
0
 
LVL 2

Expert Comment

by:Hapexamendios
ID: 35188269
Trying to do this after the fact is tricky... SQL injection is possible - but with RDP port open to the world, a simple brute-force attack is also a possible candidate.

What do you want to do here? If you want to find out who did it, you may well be disappointed unless it was an "insider"; if you just want to prevent it happening again you will find plenty of suggestions here!

Remember that if you want to investigate, you don't want to delete or change anything on the system, for example knowing what time the rogue accounts were created gives a timeframe.

Thanks,
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:olefisk
ID: 35188394
Hi Hapexamendios
Thanks for Your reply.
I know the Time-interval (20/3 between 00:00 and 00:16 AM. It was when the admins were created. The App was installed around 06:00AM).

I guess I miss a Link to "... suggestions here".

Thanks in Advance
0
 
LVL 2

Expert Comment

by:Hapexamendios
ID: 35189396
Ah - by "suggestions here" I mean on this site :)

I guess you want to investigate, then? I can understand that.

Before we start, be advised that it's possible you'll now realise some forms of logging required to back-track here are not enabled. If that is the case you'll need to put it down to experience, enable the needed logging - and then if it happens again you shoudl be in a better position.

First off, are there any "success" audits for logons to the server just prior to the creation of these accounts? If so, we will try to use the tool "eventcombNT.exe" (from Microsoft) to establish the source IP address that logon came from. As such, back up your Event Logs now to make sure they don't get overwritten.
(Information on where the connection originated might also appear in your firewall logs, if you can cross-reference the time - but this depends on where the illicit connection came from, and whether the connection would have passed through your firewall.)

If there are no "Success" audit logs, there can be two causes: auditing odf logon events is not enabled OR the attack involved exploiting an existing logon such as the SYSTEM account, meaning no new logon would be generated.

To check if auditing is enabled, go to Start >> Run and type "rsop.msc", then hit Enter. You'll get the Resultant Set of Policy for the computer.
Expand Computer Configuration>>Windows Settings>>Security Settings>>Local Policies>>Audit Policy
Look at what is enabled for "Audit account logon events" and "Audit logon events". If the values are not to your liking, you'll need to determine which of your domain's Group Policy Objects you would like to change this setting in. (I'd suggest the "Default Domain Controllers" policy if you have a small uncomplicated domain, but this is a decision for yourself really.)

For the purpose of what we're doing here, you would want "Success" and "Failure" both ticked, for both "...account logon" and "...logon..." events. Remember that to do this, you'll need to increase the default size of your Security Event Log. I suggest changing the size using the same Group Policy Object as for enabling auditing. Mine are set to 100 MB in some cases, because of the amount of events. This is to make sure you can actually track back for a reasonable amount of time in the event of such incidents.

There's much more, but to save overloading you with superfluous steps, could you verify whetehr you can see any events for a suspicious logon prior to rogue account creation, and let me know?

Thanks
0
 

Accepted Solution

by:
olefisk earned 0 total points
ID: 35213172
Hi Hapexamendios

Thanks for Your advices, have helped me a bit further:

Looking through the data I found the following:
1) administrator logged in from an external Address in Ghana: 41.202.18.136
2) administrator password changed
3) User administrador and sysadmin created and applied to admin-group

Have then installed Wireshark to check the network-traffic, as it seemed to be a lot going on on the network-card.
A) Lot of traffic on port 3389 from an unknown external IP-Address in Norway, but can't see any user logged in.
B) Have disabled the Remote desktop Connection
C) Traffic then OK, only internal traffic.

Hope this will give You the ability to help me further
Thanks in Advance

0
 
LVL 27

Expert Comment

by:Tolomir
ID: 36283901
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now