Solved

Have I been hacked?

Posted on 2013-11-04
17
1,214 Views
Last Modified: 2013-11-22
I'm not sure what's going on here - client called this morning that everything was down.  I tried to connect to the iLO card on the HP ML350 server - it timed out several times and it finally came back in CHINESE!
Chinese?
The server was pegged with LSASS at 100% NETWORK utilization - and the network switches were completely flooded with traffic.

Server reboot has brought things moderately back to normal, but the iLO is still in Chinese.

Hitman Pro scans aren't finding anything - I'm baffled - but the iLO was definitely not in Chinese before

More specs - ML350 SBS 2011 - 4 core Xeon 16 GB RAM
HP ProCurve (3Com Baseline 2928-POE) - VoIP phones
HP ProCurve 2510 G - Data switch
Sonicwall TZ210 Firewall / Gateway

Everything was current patch and firmware as of last monthly maintenance 2 weeks ago.
0
Comment
Question by:DigiSec
  • 8
  • 7
17 Comments
 
LVL 24

Expert Comment

by:diverseit
ID: 39622158
Hi DigiSec,

It sounds like it...but let's see.

1. Restore

See if you can restore from previous good instance (before the "attack").

2. Firewall

ACCESS RULES:
What do your Access Rules look like...anything open inbound? (screenshot of Access Rules would be nice WAN> {other firewalled zones}). Are you running any VNC services or the like (remote services)?

LOGS:
Do not reboot the firewall unless you are using syslog, ViewPoint, Analyzer or an external exporter/parser! Make sure logs are setup properly, go to Logs > Categories, Logging Level should be Debug and select ALL categories under the Log column. Then check/filter the logs for unusual activity.

3. Scans

Even if you can restore successfully we still need to sanitize the infections - so run scans even if you can restore. For all scans below: Do not scan in Safe Mode.
MBAM
Download the latest copy of Malwarebytes (http://www.malwarebytes.org/mwb-download/).
IMPORTANT: Modify the file name when saving the file so that you replace the file name and file type, e.g. oiuer.txt rather than mbam-setup....exe.

GMER
Download the latest copy of GMER (http://www2.gmer.net/gmer.zip) to run for Rootkit detection/remediation as well. Modify this when downloading as set forth above.

ESET
Run ESET online scanner: http://www.eset.com/us/online-scanner/NOTE: If you have been exploited through open ports or remote access exploits you may not find infections initially.

Please post applicable results.
0
 

Author Comment

by:DigiSec
ID: 39622193
We have 80 and 443 inbound open for the RWW of SBS (RDP Gateway), as well as SMTP from Dyn for email scrubbing inbound. (I don't like port 80 , but it is the MS requirement for remote web workplace)

There are a ton of firewall logs for IPv6 unhandled traffic (we only use IPv4 here)...

I have MBAM scans running on a couple of computers now - will start one on the server as well.

Taking GMER around on a flashdrive now.
0
 

Author Comment

by:DigiSec
ID: 39622206
Also - sniffing the network, I see a lot of iterating ports and iterating IP connections to google, amazon and Microsoft addresses...
0
 
LVL 24

Accepted Solution

by:
diverseit earned 500 total points
ID: 39622294
Is your SBS box in the DMZ? (if not it should be.)

RE: PORTS
Disable then delete Access Rule allowing access for TCP 80. Make sure the destination is set so the rule for 443 is explicitly to the SBS box only.

Port 80 – does NOT need to be open at all in reality.  It's there to provide an easy redirect for your users when they go to access the Remote Web Access feature of SBS 2011 Essentials. Having this port open allows the user to type in remote.mycompany.com into a web browser which will then go direct to your server. The server will immediately redirect the user to https://remote.mycompany.com/remote so that all traffic is encrypted. You can safely close this port to reduce your attack profile but you will need to train your users to type in the full URL of https://remote.mycompany.com/remote. My advice is to train your users – put this URL on the back of a business card for them to make it easy to handle.

You only need to forward ports 4125 and 443 for RWW.

RE: SCANS
Make sure you download the newest versions of both & modify file name & type. See instructions set forth here: http:#a39622158

How many current connections are running (Active Connections Monitor)?
0
 

Author Comment

by:DigiSec
ID: 39622439
@DiverseIT - Thanks for you help as well..

RE:Ports

I have locked down port 80 so the only open port for RWW now is 443

RE: Scans

Running MBAM on the server now
GMER is APPCRASH on the server (even after rename and running as admin)

Sysinternals "RootkitRevealer" is also crashing "APPCRASH"

RE: Connections

The main server is showing 0ver 5000 connections from "DNS.EXE" which is almost certainly the Trojan.  I'm shutting that down.
0
 
LVL 24

Expert Comment

by:diverseit
ID: 39622468
Yes, DNS.exe can be a threat. It depends on which computer it is running, what type of connections it's tied to & what results show for the scans. The file "dns.exe" is known to be created under the following filenames:
%AllUsersProfile%\desktop.exe
%AllUsersProfile%\documentsread1st.exe
%AllUsersProfile%\favorites.exe
%CommonAppData%\brainsys\dirlock.exe
%CommonAppData%\lambda\dirlock.exe
%CommonAppData%\microsoft\kbdriver\classified.exe
%CommonAppData%\microsoft\kbdriver\kbdsys.exe
%CommonAppData%\microsoft\kbdriver\kbsys.exe
%CommonAppData%\microsoft\keyboard\kbdsys.exe
%CommonAppData%\polarisys\dirlock.exe
%CommonAppData%\zilch.infinisoft\dirlock.exe
%CommonDesktopDir%\classified.exe
%CommonDesktopDir%\classified\classified.exe
%CommonDesktopDir%\desktop.exe
%CommonDocuments%\classified.exe
%CommonDocuments%\classified\classified.exe
%CommonDocuments%\my music\classified.exe
%CommonDocuments%\read1st.exe
%CommonFavorites%\favorites.exe
%CommonPrograms%\startup\classified.exe
%DesktopDir%\desktop.exe
%MyDocuments%\classified.exe
%MyDocuments%\x-files.exe
%Profiles%\localservice.exe
%Profiles%\networkservice.exe
%ProgramFiles%\adobe.exe
%ProgramFiles%\classified.exe
%ProgramFiles%\common files\adobe.exe
%ProgramFiles%\common files\classified.exe
%ProgramFiles%\common files\designer.exe
%ProgramFiles%\common files\mssoap.exe
%ProgramFiles%\common files\odbc.exe
%ProgramFiles%\common files\services.exe
%ProgramFiles%\common files\speechengines.exe
%ProgramFiles%\common files\system.exe
%ProgramFiles%\common files\system\dns.exe
%ProgramFiles%\internet explorer\mui.exe
%ProgramFiles%\internet explorer\mui\0409.exe
%ProgramFiles%\internet explorer\mui\0409\0409.exe
%ProgramFiles%\internet explorer\mui\mui.exe
%ProgramFiles%\messenger.exe
%ProgramFiles%\messenger\messenger.exe
%ProgramFiles%\msn.exe
%ProgramFiles%\netmeeting.exe
%ProgramFiles%\netmeeting\netmeeting.exe
%ProgramFiles%\vmware.exe
%ProgramFiles%\web publish\logfiles.exe
%ProgramFiles%\windows media player\skins.exe
%ProgramFiles%\windows media player\skins\skins.exe
%ProgramFiles%\windowsupdate.exe
%ProgramFiles%\winpcap.exe
%ProgramFiles%\winpcap\winpcap.exe
%ProgramFiles%\xerox.exe
%Programs%\startup\domain.exe
%System%\1025.exe
%System%\1028.exe
%System%\1031.exe
%System%\1033.exe
%System%\1037.exe
%System%\1041.exe
%System%\1042.exe
%System%\1054.exe
%System%\2052.exe
%System%\3076.exe
%System%\3com_dmi.exe
%System%\catroot.exe
%System%\catroot2.exe
%System%\classified.exe
%System%\com.exe
%System%\config.exe
%System%\dhcp.exe
%System%\directx.exe
%System%\dns.exe
%System%\domain.exe
%System%\drivers.exe
%System%\export.exe
%System%\hlpsvc1.exe
%System%\hlpsvc2.exe
%System%\ias.exe
%System%\icsxml.exe
%System%\ime.exe
%System%\inetsrv.exe
%System%\macromed.exe
%System%\msdtc.exe
%System%\mui.exe
%System%\npp.exe
%System%\nthlpsvc1.exe
%System%\nthlpsvc2.exe
%System%\ntmsdata.exe
%System%\win32\csrss.exe
%Temp%\075cbm-0351fm-wpxowq-jopal3-3c9vmj\2.exe
%Temp%\2540nn-214orn-xowc8s-lmoyx4-4a8izl\2.exe
%Temp%\4lyz97-4hyod7-z4qbub-n2ixjo-6q2ik4\1.exe
%Temp%\4lyz97-4hyod7-z4qbub-n2ixjo-6q2ik4\2.exe
%Temp%\61k5mi-6yluqj-2kdh7n-pi53wz-96pnyg\2.exe
%Temp%\69coia-65cdna-2r414e-pqwmsr-8eg7u7\1.exe
%Temp%\71kbpj-7xk0tj-2jcnan-qi59z0-96ot1h\2.exe
%Temp%\8cdp4g-88de8g-3v52pl-rtxnex-ahh8ge\2.exe
%Temp%\8ifs21-8ffh61-3175n6-rz0qci-anjbdz\1.exe
%Temp%\8nlkxs-8jl92s-36dxjx-r45i79-asp39q\1.exe
Also here is a list of Threat Alias:
W32.Daprosy [Symantec]
W32/Autorun.worm.h [McAfee]
Worm:Win32/Autorun.UD [Microsoft]
Malware.Daprosy [PC Tools]
W32/Autorun-AMS [Sophos]
Worm.Win32.AutoRun [Ikarus]
Worm.Win32.VB.arz [Kaspersky Lab]
W32/YahLover.worm.gen [McAfee]
Win-Trojan/Xema.variant [AhnLab]
Mal/Generic-A [Sophos]
Backdoor.Trojan [Symantec]
Mal/Airworm-A [Sophos]
Mal/Sohana-A [Sophos]
New Win32 [McAfee]
W32.SillyFDC [Symantec]
Win32/Autorun.worm.318797 [AhnLab]
Worm.Win32.AutoRun.ausp [Kaspersky Lab]
Backdoor.Win32.Poison.cpb [Kaspersky Lab]
Backdoor:Win32/Poisonivy.E [Microsoft]
BackDoor-DKI.gen.a [McAfee]
Downloader [Symantec]
New Malware.ix [McAfee]
PE_SALITY.BI [Trend Micro]
Troj/Keylog-JV [Sophos]
Trojan.Buzus.iij [Ikarus]
Trojan.DL.CKSPost.Gen [PC Tools]
Virus.Win32.Sality [Ikarus]
Virus.Win32.Sality.aa [Kaspersky Lab]
Virus:Win32/Sality.AM [Microsoft]
W32.Sality.AE [Symantec]
W32/Autorun.worm.i.gen [McAfee]
W32/AutoRun-AMW [Sophos]
W32/Autorun-APL [Sophos]
W32/Sality.gen [McAfee]
W32/Sality-AM [Sophos]
W32/Scribble-B [Sophos]
Win32/Kashu.B [AhnLab]
Win32/Virut.F [AhnLab]
Win32/Xema.worm.94208.AM [AhnLab]
Win-Trojan/Downloader.82154 [AhnLab]
Worm.Win32.Agent.uw [Kaspersky Lab]
Worm.Win32.AutoIt.nv [Kaspersky Lab]
Worm.Win32.AutoRun.atgw [Kaspersky Lab]
Worm.Win32.AutoRun.auoz [Kaspersky Lab]
Worm.Win32.AutoRun.ezj [Kaspersky Lab]
Worm.Win32.AutoRun.gjt [Kaspersky Lab]
Worm.Win32.VB.arq [Kaspersky Lab]
Worm:Win32/Autorun [Microsoft]
REF: http://www.threatexpert.com/files/dns.exe.html
0
 

Author Comment

by:DigiSec
ID: 39622499
This SBS Server though IS running DNS and DHCP services.  Stopping DNS.exe also shutdown my internal DNS server (so was it NOT the threat?)

MBAM has not yet detected anything on this server (nor has Symantec)  Is there a more specific way to identify as a threat (i.e. version - filesize - date - md5)?
0
 

Author Comment

by:DigiSec
ID: 39622679
MBAM scan found NOTHING, ESET Online scan found NOTHING.

Zero Day?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 25

Expert Comment

by:Fred Marshall
ID: 39622681
Well, that is a browser page.  A lot depends on how the page and the browser are interacting.  I've had to help folks who had switched their browser language accidentally and it wasn't easy to figure out how to fix it.  Could this have happened?
0
 
LVL 24

Expert Comment

by:diverseit
ID: 39622689
That is why I said "can be"...we need to rule it out. Having a dns.exe that's not the dns server process on a server could be a threat, e.g. if you found dns.exe on a workstation or you could have dns.exe running right along side a valid dns.exe server process.

The scans should bring something up if there is an infection. I'd forget about Symantec - they won't find anything. You need to get a anti-rootkit scan going though.

GMER is to be run on your workstations - sorry I didn't specify that before.
Windows Sysinternals RootkitRevealer Server only supports Windows Server 2003 (32-bit).
Here is a Rootkit buster to run on your server: http://esupport.trendmicro.com/solution/en-us/1034393.aspx

Are you running 64-bit?

Regarding connections...you should see them going out to unknown IPs typically in the main-geo graphic hacking regions (Iran, Russia, China), but not necessarily - the point is if you see a ton of traffic going to legitimate sites its typically legitimate. But on a TZ210 you should have Geo-IP Filtering. Do you have it enabled & configured?
0
 
LVL 24

Expert Comment

by:diverseit
ID: 39623210
How's it going now...where does it stand?
0
 

Author Comment

by:DigiSec
ID: 39623237
I've enabled the trial licenses for advanced features of the TZ210 - it's a little underpowered and bottlenecks throughput with all of the DPI turned on.  I've pretty much blocked everything and tested GEO-IP blocks, Content Blocks etc.

I'm running a rootkit scanner tool from Sophos now - will try the trend micro one if this bombs (and probably if it doesn't)

The outbound connections were in the 10's of thousands, but spot checking IPs they were mostly pointing at Google, Microsoft and Amazon - in an iterative manner (meaning 10 connections on port XXXXX, then 10 connections on port XXXXX1, XXXXX2, etc)  Also the destination IPs were iterative.  My *guess* is a botnet/ DDoS slave attempt?  

Right now the connections are down - my iLO is still in Chinese  despite resetting the iLO firmware to defaults and flashing it - so I have unplugged the iLO for now
0
 

Author Comment

by:DigiSec
ID: 39623238
And yes, this is SBS2011, so Server 2008 R2 (x64) with Exchange 2010, SharePoint etc...
0
 
LVL 24

Expert Comment

by:diverseit
ID: 39623312
When you say,
I've enabled the trial licenses for advanced features of the TZ210...
What are you talking about here...CGSS?

When you say,
...it's a little underpowered and bottlenecks throughput with all of the DPI turned on.
How fast i your WAN connection? A TZ 210 should be getting 200 Mbps of Firewall Throughput. Are you maxing out the processor?
Go to Security Services > Summary, under Security Services Setting: and select Performance Optimized. This will greatly enhance throughput & performance while still utilizing DPI it just skips low threat level traffic.

What size is your network (how many users)?

Is this normal for your environment (10's of thousands of connections)?

If you like I can provide you a Hardening setup to aid in blocking new threats. Also you can filter outbound traffic in order to block slaves and infections from transmitting outbound once they have infected the target.

Let me know how I can help.
0
 

Author Comment

by:DigiSec
ID: 39623443
Correct - the TZ210 was not licensed by the client for any CGSS (Content Filter, Gateway AV, IPS, Geo-IP Etc) because of price </shrug>.  So I've activated the 30 day trial of those features.

The client WAN is 20 mbps down, 10 mbps up over fiber (not hfc).  After initially setting it up the TZ was pegging the CPU to 100% and choking at 4 mbps down,  ~0.5 mbps up.  That seems to have stabilized though to a much better 17mbps down and 8 mbps up (at around 40% cpu)

This is an older TZ210

The network is very small, 12 users.  No, 10s of thousands of connections is not a typical traffic load - especially not outbound from the SBS server to google / amazon / Microsoft...

No rootkits are found - the Trend tool did hit on silsvc.sys as a locked hidden service.  That has checked out though here

I think I'm going to call this one closed - and watch the connections monitor.  There is a recent HP bulletin for an iLO vulnerability using cipher_zero attack - and it is possible that is what has happened here.  I've unplugged that for now, and will engage HP customer care to reset the iLO (since it is still in Chinese after reinstalling the latest firmware)
0
 
LVL 24

Expert Comment

by:diverseit
ID: 39623484
Ok sounds good. I'm glad I could help and thanks for the points!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video discusses moving either the default database or any database to a new volume.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now