• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1401
  • Last Modified:

Have I been hacked?

I'm not sure what's going on here - client called this morning that everything was down.  I tried to connect to the iLO card on the HP ML350 server - it timed out several times and it finally came back in CHINESE!
The server was pegged with LSASS at 100% NETWORK utilization - and the network switches were completely flooded with traffic.

Server reboot has brought things moderately back to normal, but the iLO is still in Chinese.

Hitman Pro scans aren't finding anything - I'm baffled - but the iLO was definitely not in Chinese before

More specs - ML350 SBS 2011 - 4 core Xeon 16 GB RAM
HP ProCurve (3Com Baseline 2928-POE) - VoIP phones
HP ProCurve 2510 G - Data switch
Sonicwall TZ210 Firewall / Gateway

Everything was current patch and firmware as of last monthly maintenance 2 weeks ago.
  • 8
  • 7
1 Solution
Blue Street TechLast KnightCommented:
Hi DigiSec,

It sounds like it...but let's see.

1. Restore

See if you can restore from previous good instance (before the "attack").

2. Firewall

What do your Access Rules look like...anything open inbound? (screenshot of Access Rules would be nice WAN> {other firewalled zones}). Are you running any VNC services or the like (remote services)?

Do not reboot the firewall unless you are using syslog, ViewPoint, Analyzer or an external exporter/parser! Make sure logs are setup properly, go to Logs > Categories, Logging Level should be Debug and select ALL categories under the Log column. Then check/filter the logs for unusual activity.

3. Scans

Even if you can restore successfully we still need to sanitize the infections - so run scans even if you can restore. For all scans below: Do not scan in Safe Mode.
Download the latest copy of Malwarebytes (http://www.malwarebytes.org/mwb-download/).
IMPORTANT: Modify the file name when saving the file so that you replace the file name and file type, e.g. oiuer.txt rather than mbam-setup....exe.

Download the latest copy of GMER (http://www2.gmer.net/gmer.zip) to run for Rootkit detection/remediation as well. Modify this when downloading as set forth above.

Run ESET online scanner: http://www.eset.com/us/online-scanner/NOTE: If you have been exploited through open ports or remote access exploits you may not find infections initially.

Please post applicable results.
DigiSecAuthor Commented:
We have 80 and 443 inbound open for the RWW of SBS (RDP Gateway), as well as SMTP from Dyn for email scrubbing inbound. (I don't like port 80 , but it is the MS requirement for remote web workplace)

There are a ton of firewall logs for IPv6 unhandled traffic (we only use IPv4 here)...

I have MBAM scans running on a couple of computers now - will start one on the server as well.

Taking GMER around on a flashdrive now.
DigiSecAuthor Commented:
Also - sniffing the network, I see a lot of iterating ports and iterating IP connections to google, amazon and Microsoft addresses...
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

Blue Street TechLast KnightCommented:
Is your SBS box in the DMZ? (if not it should be.)

Disable then delete Access Rule allowing access for TCP 80. Make sure the destination is set so the rule for 443 is explicitly to the SBS box only.

Port 80 – does NOT need to be open at all in reality.  It's there to provide an easy redirect for your users when they go to access the Remote Web Access feature of SBS 2011 Essentials. Having this port open allows the user to type in remote.mycompany.com into a web browser which will then go direct to your server. The server will immediately redirect the user to https://remote.mycompany.com/remote so that all traffic is encrypted. You can safely close this port to reduce your attack profile but you will need to train your users to type in the full URL of https://remote.mycompany.com/remote. My advice is to train your users – put this URL on the back of a business card for them to make it easy to handle.

You only need to forward ports 4125 and 443 for RWW.

Make sure you download the newest versions of both & modify file name & type. See instructions set forth here: http:#a39622158

How many current connections are running (Active Connections Monitor)?
DigiSecAuthor Commented:
@DiverseIT - Thanks for you help as well..


I have locked down port 80 so the only open port for RWW now is 443

RE: Scans

Running MBAM on the server now
GMER is APPCRASH on the server (even after rename and running as admin)

Sysinternals "RootkitRevealer" is also crashing "APPCRASH"

RE: Connections

The main server is showing 0ver 5000 connections from "DNS.EXE" which is almost certainly the Trojan.  I'm shutting that down.
Blue Street TechLast KnightCommented:
Yes, DNS.exe can be a threat. It depends on which computer it is running, what type of connections it's tied to & what results show for the scans. The file "dns.exe" is known to be created under the following filenames:
%CommonDocuments%\my music\classified.exe
%ProgramFiles%\common files\adobe.exe
%ProgramFiles%\common files\classified.exe
%ProgramFiles%\common files\designer.exe
%ProgramFiles%\common files\mssoap.exe
%ProgramFiles%\common files\odbc.exe
%ProgramFiles%\common files\services.exe
%ProgramFiles%\common files\speechengines.exe
%ProgramFiles%\common files\system.exe
%ProgramFiles%\common files\system\dns.exe
%ProgramFiles%\internet explorer\mui.exe
%ProgramFiles%\internet explorer\mui\0409.exe
%ProgramFiles%\internet explorer\mui\0409\0409.exe
%ProgramFiles%\internet explorer\mui\mui.exe
%ProgramFiles%\web publish\logfiles.exe
%ProgramFiles%\windows media player\skins.exe
%ProgramFiles%\windows media player\skins\skins.exe
Also here is a list of Threat Alias:
W32.Daprosy [Symantec]
W32/Autorun.worm.h [McAfee]
Worm:Win32/Autorun.UD [Microsoft]
Malware.Daprosy [PC Tools]
W32/Autorun-AMS [Sophos]
Worm.Win32.AutoRun [Ikarus]
Worm.Win32.VB.arz [Kaspersky Lab]
W32/YahLover.worm.gen [McAfee]
Win-Trojan/Xema.variant [AhnLab]
Mal/Generic-A [Sophos]
Backdoor.Trojan [Symantec]
Mal/Airworm-A [Sophos]
Mal/Sohana-A [Sophos]
New Win32 [McAfee]
W32.SillyFDC [Symantec]
Win32/Autorun.worm.318797 [AhnLab]
Worm.Win32.AutoRun.ausp [Kaspersky Lab]
Backdoor.Win32.Poison.cpb [Kaspersky Lab]
Backdoor:Win32/Poisonivy.E [Microsoft]
BackDoor-DKI.gen.a [McAfee]
Downloader [Symantec]
New Malware.ix [McAfee]
PE_SALITY.BI [Trend Micro]
Troj/Keylog-JV [Sophos]
Trojan.Buzus.iij [Ikarus]
Trojan.DL.CKSPost.Gen [PC Tools]
Virus.Win32.Sality [Ikarus]
Virus.Win32.Sality.aa [Kaspersky Lab]
Virus:Win32/Sality.AM [Microsoft]
W32.Sality.AE [Symantec]
W32/Autorun.worm.i.gen [McAfee]
W32/AutoRun-AMW [Sophos]
W32/Autorun-APL [Sophos]
W32/Sality.gen [McAfee]
W32/Sality-AM [Sophos]
W32/Scribble-B [Sophos]
Win32/Kashu.B [AhnLab]
Win32/Virut.F [AhnLab]
Win32/Xema.worm.94208.AM [AhnLab]
Win-Trojan/Downloader.82154 [AhnLab]
Worm.Win32.Agent.uw [Kaspersky Lab]
Worm.Win32.AutoIt.nv [Kaspersky Lab]
Worm.Win32.AutoRun.atgw [Kaspersky Lab]
Worm.Win32.AutoRun.auoz [Kaspersky Lab]
Worm.Win32.AutoRun.ezj [Kaspersky Lab]
Worm.Win32.AutoRun.gjt [Kaspersky Lab]
Worm.Win32.VB.arq [Kaspersky Lab]
Worm:Win32/Autorun [Microsoft]
REF: http://www.threatexpert.com/files/dns.exe.html
DigiSecAuthor Commented:
This SBS Server though IS running DNS and DHCP services.  Stopping DNS.exe also shutdown my internal DNS server (so was it NOT the threat?)

MBAM has not yet detected anything on this server (nor has Symantec)  Is there a more specific way to identify as a threat (i.e. version - filesize - date - md5)?
DigiSecAuthor Commented:
MBAM scan found NOTHING, ESET Online scan found NOTHING.

Zero Day?
Fred MarshallPrincipalCommented:
Well, that is a browser page.  A lot depends on how the page and the browser are interacting.  I've had to help folks who had switched their browser language accidentally and it wasn't easy to figure out how to fix it.  Could this have happened?
Blue Street TechLast KnightCommented:
That is why I said "can be"...we need to rule it out. Having a dns.exe that's not the dns server process on a server could be a threat, e.g. if you found dns.exe on a workstation or you could have dns.exe running right along side a valid dns.exe server process.

The scans should bring something up if there is an infection. I'd forget about Symantec - they won't find anything. You need to get a anti-rootkit scan going though.

GMER is to be run on your workstations - sorry I didn't specify that before.
Windows Sysinternals RootkitRevealer Server only supports Windows Server 2003 (32-bit).
Here is a Rootkit buster to run on your server: http://esupport.trendmicro.com/solution/en-us/1034393.aspx

Are you running 64-bit?

Regarding connections...you should see them going out to unknown IPs typically in the main-geo graphic hacking regions (Iran, Russia, China), but not necessarily - the point is if you see a ton of traffic going to legitimate sites its typically legitimate. But on a TZ210 you should have Geo-IP Filtering. Do you have it enabled & configured?
Blue Street TechLast KnightCommented:
How's it going now...where does it stand?
DigiSecAuthor Commented:
I've enabled the trial licenses for advanced features of the TZ210 - it's a little underpowered and bottlenecks throughput with all of the DPI turned on.  I've pretty much blocked everything and tested GEO-IP blocks, Content Blocks etc.

I'm running a rootkit scanner tool from Sophos now - will try the trend micro one if this bombs (and probably if it doesn't)

The outbound connections were in the 10's of thousands, but spot checking IPs they were mostly pointing at Google, Microsoft and Amazon - in an iterative manner (meaning 10 connections on port XXXXX, then 10 connections on port XXXXX1, XXXXX2, etc)  Also the destination IPs were iterative.  My *guess* is a botnet/ DDoS slave attempt?  

Right now the connections are down - my iLO is still in Chinese  despite resetting the iLO firmware to defaults and flashing it - so I have unplugged the iLO for now
DigiSecAuthor Commented:
And yes, this is SBS2011, so Server 2008 R2 (x64) with Exchange 2010, SharePoint etc...
Blue Street TechLast KnightCommented:
When you say,
I've enabled the trial licenses for advanced features of the TZ210...
What are you talking about here...CGSS?

When you say,
...it's a little underpowered and bottlenecks throughput with all of the DPI turned on.
How fast i your WAN connection? A TZ 210 should be getting 200 Mbps of Firewall Throughput. Are you maxing out the processor?
Go to Security Services > Summary, under Security Services Setting: and select Performance Optimized. This will greatly enhance throughput & performance while still utilizing DPI it just skips low threat level traffic.

What size is your network (how many users)?

Is this normal for your environment (10's of thousands of connections)?

If you like I can provide you a Hardening setup to aid in blocking new threats. Also you can filter outbound traffic in order to block slaves and infections from transmitting outbound once they have infected the target.

Let me know how I can help.
DigiSecAuthor Commented:
Correct - the TZ210 was not licensed by the client for any CGSS (Content Filter, Gateway AV, IPS, Geo-IP Etc) because of price </shrug>.  So I've activated the 30 day trial of those features.

The client WAN is 20 mbps down, 10 mbps up over fiber (not hfc).  After initially setting it up the TZ was pegging the CPU to 100% and choking at 4 mbps down,  ~0.5 mbps up.  That seems to have stabilized though to a much better 17mbps down and 8 mbps up (at around 40% cpu)

This is an older TZ210

The network is very small, 12 users.  No, 10s of thousands of connections is not a typical traffic load - especially not outbound from the SBS server to google / amazon / Microsoft...

No rootkits are found - the Trend tool did hit on silsvc.sys as a locked hidden service.  That has checked out though here

I think I'm going to call this one closed - and watch the connections monitor.  There is a recent HP bulletin for an iLO vulnerability using cipher_zero attack - and it is possible that is what has happened here.  I've unplugged that for now, and will engage HP customer care to reset the iLO (since it is still in Chinese after reinstalling the latest firmware)
Blue Street TechLast KnightCommented:
Ok sounds good. I'm glad I could help and thanks for the points!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

  • 8
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now