Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Intrusion on Windows server  2003  Advanced Mass Sender

Posted on 2011-03-21
Medium Priority
Last Modified: 2012-05-11
Server 2002 R2 fully patched, running as DC
Running IIS
Firewall is opened on port 80 and 3389 (For remote Desktop).
Nod32 antivirus

Yesterday I discovered that someone from outside had access to our 2003-server controlling our AD.
1) They have created 2 new admin-users (administrador and sysadmin)
2) Changed the PW for Administrator, so I couldn't logon.
3) Installed the application "Advanced Mass Sender", like this topic:

I'm the only Person with Admin-rights to the server, and surely the only one who knows the password.

I don't know how this has happened, has anyone else same expeiences ?

I'm really afraid og the next move from the Intruders,
hope You can suggest som good steps to perform.
Question by:olefisk
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 22

Expert Comment

ID: 35180505
For port 80, do you have any website or web application?

Does it use SQL Server as a database?

Maybe they hacked via SQL injection (google it - lots of information).

Author Comment

ID: 35180708
Thanks for the prompt answer

The web-application only use static access-databases, but Sql-server is installed for Backup Exec, that's the only App using SQL.

Expert Comment

ID: 35188269
Trying to do this after the fact is tricky... SQL injection is possible - but with RDP port open to the world, a simple brute-force attack is also a possible candidate.

What do you want to do here? If you want to find out who did it, you may well be disappointed unless it was an "insider"; if you just want to prevent it happening again you will find plenty of suggestions here!

Remember that if you want to investigate, you don't want to delete or change anything on the system, for example knowing what time the rogue accounts were created gives a timeframe.

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!


Author Comment

ID: 35188394
Hi Hapexamendios
Thanks for Your reply.
I know the Time-interval (20/3 between 00:00 and 00:16 AM. It was when the admins were created. The App was installed around 06:00AM).

I guess I miss a Link to "... suggestions here".

Thanks in Advance

Expert Comment

ID: 35189396
Ah - by "suggestions here" I mean on this site :)

I guess you want to investigate, then? I can understand that.

Before we start, be advised that it's possible you'll now realise some forms of logging required to back-track here are not enabled. If that is the case you'll need to put it down to experience, enable the needed logging - and then if it happens again you shoudl be in a better position.

First off, are there any "success" audits for logons to the server just prior to the creation of these accounts? If so, we will try to use the tool "eventcombNT.exe" (from Microsoft) to establish the source IP address that logon came from. As such, back up your Event Logs now to make sure they don't get overwritten.
(Information on where the connection originated might also appear in your firewall logs, if you can cross-reference the time - but this depends on where the illicit connection came from, and whether the connection would have passed through your firewall.)

If there are no "Success" audit logs, there can be two causes: auditing odf logon events is not enabled OR the attack involved exploiting an existing logon such as the SYSTEM account, meaning no new logon would be generated.

To check if auditing is enabled, go to Start >> Run and type "rsop.msc", then hit Enter. You'll get the Resultant Set of Policy for the computer.
Expand Computer Configuration>>Windows Settings>>Security Settings>>Local Policies>>Audit Policy
Look at what is enabled for "Audit account logon events" and "Audit logon events". If the values are not to your liking, you'll need to determine which of your domain's Group Policy Objects you would like to change this setting in. (I'd suggest the "Default Domain Controllers" policy if you have a small uncomplicated domain, but this is a decision for yourself really.)

For the purpose of what we're doing here, you would want "Success" and "Failure" both ticked, for both "...account logon" and "...logon..." events. Remember that to do this, you'll need to increase the default size of your Security Event Log. I suggest changing the size using the same Group Policy Object as for enabling auditing. Mine are set to 100 MB in some cases, because of the amount of events. This is to make sure you can actually track back for a reasonable amount of time in the event of such incidents.

There's much more, but to save overloading you with superfluous steps, could you verify whetehr you can see any events for a suspicious logon prior to rogue account creation, and let me know?


Accepted Solution

olefisk earned 0 total points
ID: 35213172
Hi Hapexamendios

Thanks for Your advices, have helped me a bit further:

Looking through the data I found the following:
1) administrator logged in from an external Address in Ghana:
2) administrator password changed
3) User administrador and sysadmin created and applied to admin-group

Have then installed Wireshark to check the network-traffic, as it seemed to be a lot going on on the network-card.
A) Lot of traffic on port 3389 from an unknown external IP-Address in Norway, but can't see any user logged in.
B) Have disabled the Remote desktop Connection
C) Traffic then OK, only internal traffic.

Hope this will give You the ability to help me further
Thanks in Advance

LVL 27

Expert Comment

ID: 36283901
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question