C
Christopher L Everett
My friend here got hit really hard.
And I'm afraid I've made things worse. At this point
I can only log into the machine in Safe Mode; whenever
I boot the server with networking enabled the box just
sits there saying "preparing network connections ...."
(I've waited over half an hour for it to clear up) and
never present the Ctrl-Alt-Del to login prompt. When
start it in safe mode I can log in but the network
connections window is blank and I can't reconfigure
the network.
His Win2K/Exchange 5.5 server got hacked, and the cracker
left behind a modified version of the BackDoor.Wollf.16
trojan (file size 3 bytes smaller than the one in the
Symantec database, and set up as a Windows 2000 Service
called "Sys Wininit").
Not only that, the SOB reconfigured Exchange as an open
relay and started spamming people with my friends server.
Here's the sequence of steps I took:
First I disconnected the box from the Internet.
I moved the trojan out of C:\WINNT\system32 onto the
Administrator desktop, and disabled "Sys Wininit" in
Services. Then I rebooted.
Then I reset the administrator password and updated all
the entries in Services which need the Administrator
pssword with the new password. Then I rebooted again.
So far so good. I now have several problems:
1) The MS Exchange IMC service hangs starting up: it
just sits there consuming about 50% CPU. There's
more happening on the Exchange side (crackers at
work) but I won't go into it.
2) Doing a portscan of the box from the Internet side
shows an ungodly number of open ports. I only need
SMTP, HTTP, and PPTP open on that side.
3) Some security ware from MacAfee will not start,
citing service dependency issues with bogus
services. I figure the cracker did this.
So I figure the first thing is to lock down the ports.
This is where things started going bad for me.
I went into the network connections properties and
opened the property sheet for the Internet connection.
Initially I made the mistake of removing "File and
Printer Sharing for Microsoft Networks", but I restored
that. Then I unchecked "Client for Microsoft Networks"
and "File and Printer Sharing for Microsoft Networks".
Then I double-clicked "Internet Protocol", pressed
the "Advanced ..." button, and selected the "Options"
tab, and double-clicked "TCP/IP Filtering".
The upshot was that I enabled ports 25 and 80 (saving
PPTOP for later) only for all adapters and rebooted
again. At this point I could no longer log in with
networking enabled. I know, I should have used
ZoneAlarm ...
Please HELP! A half dozen people depend on this server
this server to make a living, and I have a full time gig
doing web development ... spending days on this will get
me fired.
And I'm afraid I've made things worse. At this point
I can only log into the machine in Safe Mode; whenever
I boot the server with networking enabled the box just
sits there saying "preparing network connections ...."
(I've waited over half an hour for it to clear up) and
never present the Ctrl-Alt-Del to login prompt. When
start it in safe mode I can log in but the network
connections window is blank and I can't reconfigure
the network.
His Win2K/Exchange 5.5 server got hacked, and the cracker
left behind a modified version of the BackDoor.Wollf.16
trojan (file size 3 bytes smaller than the one in the
Symantec database, and set up as a Windows 2000 Service
called "Sys Wininit").
Not only that, the SOB reconfigured Exchange as an open
relay and started spamming people with my friends server.
Here's the sequence of steps I took:
First I disconnected the box from the Internet.
I moved the trojan out of C:\WINNT\system32 onto the
Administrator desktop, and disabled "Sys Wininit" in
Services. Then I rebooted.
Then I reset the administrator password and updated all
the entries in Services which need the Administrator
pssword with the new password. Then I rebooted again.
So far so good. I now have several problems:
1) The MS Exchange IMC service hangs starting up: it
just sits there consuming about 50% CPU. There's
more happening on the Exchange side (crackers at
work) but I won't go into it.
2) Doing a portscan of the box from the Internet side
shows an ungodly number of open ports. I only need
SMTP, HTTP, and PPTP open on that side.
3) Some security ware from MacAfee will not start,
citing service dependency issues with bogus
services. I figure the cracker did this.
So I figure the first thing is to lock down the ports.
This is where things started going bad for me.
I went into the network connections properties and
opened the property sheet for the Internet connection.
Initially I made the mistake of removing "File and
Printer Sharing for Microsoft Networks", but I restored
that. Then I unchecked "Client for Microsoft Networks"
and "File and Printer Sharing for Microsoft Networks".
Then I double-clicked "Internet Protocol", pressed
the "Advanced ..." button, and selected the "Options"
tab, and double-clicked "TCP/IP Filtering".
The upshot was that I enabled ports 25 and 80 (saving
PPTOP for later) only for all adapters and rebooted
again. At this point I could no longer log in with
networking enabled. I know, I should have used
ZoneAlarm ...
Please HELP! A half dozen people depend on this server
this server to make a living, and I have a full time gig
doing web development ... spending days on this will get
me fired.