Hacked -- FTP Server Running

[Greg]

One of our machines was hacked and the hacker setup and FTP server. Using a
packet sniffer I can see the filenames of files being transferred (warez),
but am unable to find them on the system either with the DOS window or
explorer. The drive has only a couple of folders and even with doing "dir
/as" it doesn't find the hidden ones. Space keeps going down so I know it's
the right drive (D drive).

How can I found out what FTP Server is running and where the files are?

 

[Marina Roos]

I don't think it's worth the time and effort to find out. Take the system of
the internet now. You better rebuild your system and make sure that no one
gets in.
Was this a 2000-server?

Marina

 

[Greg]

It's Windows 2003. It's a production server so it can't be taken offline
until a replacement is ready.

I would like to find out how they got in so it doesn't happen again.

 

[Brendon Rogers]

Use Task Manager and examine each process running, one of them will be the
ftp server. Once you have identified it do a search on Google and see if
that leads anywhere. You should identify each and every process - the hacker
could have installed more than just an FTP server.

How is the server exposed to the internet? What services is it offering to
the world?

I would suggest disconnecting the server from your network immediately - the
ftp server may not be the only hacked process running on the server - there
could be other backdoor trojans which the hacker could be using to siphon
information from your network. At the very least block port 21 to the server
on your router / firewall so you don't get any more ftp traffic.

Good luck

Brendon

 

[Marina Roos]

Than I definitely would take it offline immediately. If you have been
hacked, you won't be able to clean it because you won't know what they have
been doing.
You probably had some ports open, were not using a firewall and that is how
they got in.

Marina

 

[Michael Holzemer]

Look for firedaemon, serv-u, and DWRC in your services. Dame ware is a
common hack that robots use. If you search for the exes you will generally
find the setup files for these hacks.
Here is a vbscript to remove these services.

Const title = "Service Removal Tool"

Set oWS = CreateObject("Wscript.Shell")
sService = inputbox("Enter Service Name",title,"SQLANYs_dlrdb")

If sService = "" then
msgbox "Script halted. No changes were made.", vbInformation, title
wscript.quit
End If

'// Last chance to quit
result = MsgBox ("The " & sService & " service will be deleted. Are you
sure?", vbQuestion + vbYesno, title)
If result = vbNo Then
Msgbox "Script halted. No changes were made.", vbInformation, title
wscript.quit
End If

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

'// See if the displayname or name exists
Set colListOfServices = objWMIService.ExecQuery _
("Select * from Win32_Service Where Name = '" & sService & "' or
displayName = '" & sService & "'")
If colListOfServices.count > 0 Then
For Each objService In colListOfServices
objService.StopService()
'// Give it 5 seconds to stop
wscript.Sleep 5000
objService.Delete()
Msgbox "The " & sService & " service has been removed or marked for
deletion.", vbInformation, title
Next
Else
Msgbox "The " & sService & " service was not found.", vbInformation, title
End If

You will need to refresh the services window after running this script.

 

[Greg]

I can't take it offline until we are ready to format it or our business will
be unreachable too long. This is a small company with a single dedicated
server. Additionally, it's important to find out exactly how they got in so
it doesn't happen again.

By leaving the server running I've determined which files that are using for
the 2 FTP servers and how they are starting them (they are hidden from the
processes list and the files don't exist in the located reported -- they are
not hidden): 43166: services.exe:432 QueryValue
HKLM\SYSTEM\ControlSet001\Services\INetSR\ImagePath SUCCESS
"C:\WINDOWS\system32\inetsrv\msvchost.exe"

When I've killed the msvchost.exe the system reboots after a while
automatically (did it three times). Which then loads it up again into
memory so they can get back in. We will be formatting today and
re-installing Windows 2003. Without knowing what caused this, there is a
very strong chance that this will happening again immediately by the same
people.

The dedicated server is in a remote location. The ports that were open
were:

Port 21: FTP (BulletProof FTP Server -- anonymous access denied)
Port 25: SMPT Server (not an open relay)
Port 49: Alternative SMTP Server port (needed)
Port 53: Not sure what this is
Port 80: Web server
Port 90: Stats Server
Port 110: POP Server
Port 135: Not sure what this is
Port 1025: Not sure what this is
and Port 8080

 

[Greg]

Unfortunately none of those were listed. I know they are using serv-u
because I did find the configuration file. I was also able to find out the
filename by monitoring open ports, however the file does not exist in the
located specified. Additionally, the file is being loaded from that
location upon bootup:

43166: services.exe:432 QueryValue
HKLM\SYSTEM\ControlSet001\Services\INetSR\ImagePath SUCCESS
"C:\WINDOWS\system32\inetsrv\msvchost.exe"

That's line is from a log created during Windows bootup. msvchost.exe is
the FTP server. They've altered the inetsrv directory so you can go in it
through the command-prompt. Pasting c:\windows\system32\inetsrv\ into
explorer returns an error because it thinks the directory doesn't exist.
Doing "dir /a" doesn't show it either. This is while logged in as
administrator.

 

[Michael Holzemer]

Port 8080 is probably how they got in if that is the port for IIS
administration.
53 is DNS, and 135 is the endpoint mapper. You really should remove IIS
admin from your server because you don't need it.

 

[Greg]

Thanks for the advice, but unfortunately I did do that without luck. The
process for the two FTP servers don't show up in the task manager. They do
show up with their pid using a port monitor. I was able to learn the
filenames however they don't exist in the location it's reporting.
Searching the drive didn't find them either. Searching on Google also
didn't find anything so they must be able to name them whatever they want.

They opened two new ports. They are not using port 21. I don't have access
to the firewall to block any ports. The server is in a remote location, but
we will be formatting today and having them block ports we won't be using.

But we still don't know how they go in in the first place, which is a major
problem for us.

 

[Michael Holzemer]

The other big thing is that services will be installed and named things like
win32 service. Which is not really a windows service.

 

[Greg]

Thanks for the advice. I will definitely do that on the new install.

 

[Greg]

I just took a look and IIS remote administration isn't installed on the
server. I guess I'll track down what that is.

 

[Michael Holzemer]

So Internet Management Services is not installed. Are you running a site on
8080? The reason I ask is that is the default port for the administration
web site. Did you see my post below this one?

The other big thing is that services will be installed and named things like
win32 service. Which is not really a windows service.

 

[Brendon Rogers]

Port 135 is an MS NetBIOS port (used for MS networking) - this should not be
exposed to the internet.

 

[Greg]

Correct, it's not installed. There is no web site configured for port 8080.

I did see your other post and I did not see any services with a name similar
to Win32 service.

 

[Michael Holzemer]

Sorry what I meant is - Are there any services that look like they do not
belong?

 

[Lanwench [MVP - Exchange]]

Sounds like they got in because you hadn't configured your firewall as
securely as you needed to, nor hardened the security on your server....Port
135 should never be open from the Internet, port 80 would be better replaced
with port 443 (force SSL), if you aren't hosting your own public DNS close
port 53, etc.

URLScan and IISLockdown are also your friends. ;-)

 

[Greg]

The built-in firewall of 2003 has been enabled so all ports that aren't
needed have been closed. The system will be formatted soon to clear away
anything left by the hackers.

There are two FTP servers they installed. One of them is servu (I found the
config file) and I'm not sure what the other is. Neither show up in the
task manager but they did show up using a port monitor. The only problem
was the filename shown wasn't in the directory the port monitor was say.
For example, it was showing the filename C:\Windows\System32\msvchost.exe,
but that file doesn't exist. I checked to make sure it wasn't hidden (at
least the type of hidden Windows can do) and it wasn't... just doesn't
exist. I searched the hard drive and the registry and found nothing. I
then used a program called RegMon to monitor everything that's loading from
the registry upon bootup. I found that the file is being loaded from that
location and registry keys that say they were successfully read do not even
exist.

They had created a user, which I disabled (found it first day I noticed a
problem) and eventually removed. I'll look into the Access Control List.

I agree that, preferrably, the system should be taken off the internet

asap (but not offline, to further research the break-in). Leaving it online
for any length of time can have dire consequences.

If that's not an option yet, at least try to lock the system down.

Depending on the system's function (I assume it's an externally facing web
server), block all unecessary ports, especially whatever port the ftp server
is running on - port 21 or otherwise.

As far as the disk space is concerned, check your Access Control Lists

Might be that admins are being blocked - also check for any unusual local
id's and disable them. Lastly, check for any processes in memory that are
suspicious. That Ftp server process is somewhere in memory - find it, jot
down the exe name, kill the process, delete / rename the exe, and finally
search for that process in the registry and delete any references.