Sign in with
Sign up | Sign in
Your question

svchost exploit on ports 80, 443 &21

Last response: in Networking
Share
Anonymous
April 4, 2004 7:20:52 PM

Archived from groups: comp.security.firewalls (More info?)

Hi,

I have a customers server that has been hacked and I'm running out of
time on fixing the problem.

Each time the server starts up svchost.exe loads using ports 80, 443,
21 and a couple of others that it blatantly shouldn't - as you can
guess this stops any IIS services from running correctly.

When the users try to use features such as Outlook Web Access an
alternate page is displayed showing a large scull and starting with
the text "Hello dear FxPer!" and displaying a few statistics off the
server such as its uptime etc, it closes with a gloat from the hacker
stating the server was "hacked by a good hacker".

I can easily cure this by simply killing the instance of svchost.exe
that is occupying the ports I want then restarting the IIS sites, but
this always returns after a restart so it's getting a bit boring now.

The technical details of the server are as follows: -

Windows 2000 Small Business Server with SP4, Exchange 2000 SP3, IE6
sp1 and all other Microsoft critical updates.
McAfee Netshield.

Note: - At the time when the problem started the server was just
running SP3 with no other updates.

I have scanned the registry for any unusual programs running on
startup and can't see anything.
I have run several Trojan Scans and I have also run the Symantec fix
tool for the Welchia virus but nothing has been found.

Does anyone have any info on this problem ?

Any help is greatly appreciated, the hackers home address would be
even more appreciated! ;-)

Cheers
Alastair
Anonymous
April 5, 2004 3:19:05 AM

Archived from groups: comp.security.firewalls (More info?)

"Alastair Smith" <asmith@c-it.co.uk> wrote in message
news:a84041bd.0404041420.aef4ff1@posting.google.com...
> Hi,
>
> I have a customers server that has been hacked and I'm running out of
> time on fixing the problem.
>
> Each time the server starts up svchost.exe loads using ports 80, 443,
> 21 and a couple of others that it blatantly shouldn't - as you can
> guess this stops any IIS services from running correctly.
>
> When the users try to use features such as Outlook Web Access an
> alternate page is displayed showing a large scull and starting with
> the text "Hello dear FxPer!" and displaying a few statistics off the
> server such as its uptime etc, it closes with a gloat from the hacker
> stating the server was "hacked by a good hacker".
>
> I can easily cure this by simply killing the instance of svchost.exe
> that is occupying the ports I want then restarting the IIS sites, but
> this always returns after a restart so it's getting a bit boring now.
>
> The technical details of the server are as follows: -
>
> Windows 2000 Small Business Server with SP4, Exchange 2000 SP3, IE6
> sp1 and all other Microsoft critical updates.
> McAfee Netshield.
>
> Note: - At the time when the problem started the server was just
> running SP3 with no other updates.
>
> I have scanned the registry for any unusual programs running on
> startup and can't see anything.
> I have run several Trojan Scans and I have also run the Symantec fix
> tool for the Welchia virus but nothing has been found.
>
> Does anyone have any info on this problem ?
>
> Any help is greatly appreciated, the hackers home address would be
> even more appreciated! ;-)

You may have to go find it yourself with some additional tools.

You may want to use Process Explorer and start looking inside of the
svchost.exe and see what programs/processes are using the svchost.exe in
question.You may be able to pinpoint what's running that's doing it.

http://www.sysinternals.com/ntw2k/freeware/procexp.shtm...

http://www.windowsecurity.com/articles/Hidden_Backdoors...

You may also want to investigate dllhost.exe as well.

Of course, if svchost.exe and dllhost.exe are not running out of the
System32 directory, then they are Trojans.

Have you done anything along the lines of securing *hardening* IIS and the
O/S from attack?

Duane :) 
Anonymous
April 5, 2004 10:10:25 AM

Archived from groups: comp.security.firewalls (More info?)

Alastair Smith wrote:

> The technical details of the server are as follows: -
>
> Windows 2000 Small Business Server with SP4, Exchange 2000 SP3, IE6
> sp1 and all other Microsoft critical updates.
> McAfee Netshield.

There are, reportedly, a number of zero-day exploits (no notice,
no patch) exploits in MS tools and OS being used by professional
black hats, especially in Russia. Obviously, this is hard to
verify. However, it's possible that there are some, and that
your script-kiddie got one (a pro hacker wouldn't advertise,
like yours has done) and used it on you.

But, there's a general consensus, at least in the Windows AND
Linux using community that I'm part of, that anything with ActiveX
is NOT appropriate for exposure to the Internet. And, it
sounds like you may well have some ActiveX 'bits' showing in
public. If so, that may well be an approach you want to reconsider.
ActiveX was designed for convenience, not security.

Also, web mail tools (including those running on Linux) have a
pretty spotty security record -- you may want to see how you
can lock down (and log) those tools further, once you are back
up and running.
Related resources
Anonymous
April 5, 2004 3:23:14 PM

Archived from groups: comp.security.firewalls (More info?)

Bluto <arf-arf@doubleclick.net> wrote in message news:<2o6dnZbrkcHxrezdRVn-hQ@comcast.com>...
> Alastair Smith wrote:
>
> > The technical details of the server are as follows: -
> >
> > Windows 2000 Small Business Server with SP4, Exchange 2000 SP3, IE6
> > sp1 and all other Microsoft critical updates.
> > McAfee Netshield.
>
> There are, reportedly, a number of zero-day exploits (no notice,
> no patch) exploits in MS tools and OS being used by professional
> black hats, especially in Russia. Obviously, this is hard to
> verify. However, it's possible that there are some, and that
> your script-kiddie got one (a pro hacker wouldn't advertise,
> like yours has done) and used it on you.
>
> But, there's a general consensus, at least in the Windows AND
> Linux using community that I'm part of, that anything with ActiveX
> is NOT appropriate for exposure to the Internet. And, it
> sounds like you may well have some ActiveX 'bits' showing in
> public. If so, that may well be an approach you want to reconsider.
> ActiveX was designed for convenience, not security.
>
> Also, web mail tools (including those running on Linux) have a
> pretty spotty security record -- you may want to see how you
> can lock down (and log) those tools further, once you are back
> up and running.

Hi,

Thanks so much for your posts Bluto and Duane, both proved very
interesting reading.

Bluto, I'm inclined to agree with you, a great hacker wouldn't
advertise their presence apart from to gloat, lets face it though,
anyone who knows how to use a search engine and has a mediocre
understanding of the OS could hack the system because the info is so
readily available on the net.

Duane - I hoped you'd reply as I noticed your name spread far and wide
amongst the news groups, seemingly concentrating on this issue. You
seem to know a hell of a lot about this, how come ?

Anyway, your link to the process explorer has proved invaluable and
has helped me locate the process - it was an illegal instance of the
svchost.exe located in c:\winnt\system32\wbem\mof\bad\usr32\backup
folder - this was heavily restricted which was why I didn't find it
using a search for instances of svchost.
After doing a registry search for references to this folder I noticed
2 service instances named TCP-IP (all upper case) calling this service
during the servers startup.

This is now cleaned up and I am a hell of a lot wiser for the
experience (every day's a school day!).

Now I just have to set to the task of making sure there are no other
suspect processes running anywhere else...I really don't want to
rebuild the server!

Thanks once again for your help, all the best.

Alastair
Anonymous
April 5, 2004 6:03:35 PM

Archived from groups: comp.security.firewalls (More info?)

Bluto <arf-arf@doubleclick.net> wrote in message news:<2o6dnZbrkcHxrezdRVn-hQ@comcast.com>...
> Alastair Smith wrote:
>
> > The technical details of the server are as follows: -
> >
> > Windows 2000 Small Business Server with SP4, Exchange 2000 SP3, IE6
> > sp1 and all other Microsoft critical updates.
> > McAfee Netshield.
>
> There are, reportedly, a number of zero-day exploits (no notice,
> no patch) exploits in MS tools and OS being used by professional
> black hats, especially in Russia. Obviously, this is hard to
> verify. However, it's possible that there are some, and that
> your script-kiddie got one (a pro hacker wouldn't advertise,
> like yours has done) and used it on you.
>
> But, there's a general consensus, at least in the Windows AND
> Linux using community that I'm part of, that anything with ActiveX
> is NOT appropriate for exposure to the Internet. And, it
> sounds like you may well have some ActiveX 'bits' showing in
> public. If so, that may well be an approach you want to reconsider.
> ActiveX was designed for convenience, not security.
>
> Also, web mail tools (including those running on Linux) have a
> pretty spotty security record -- you may want to see how you
> can lock down (and log) those tools further, once you are back
> up and running.


Hi,

Thank you Bluto and Duane for your input on my problem.

Bluto, you're absolutely right, a pro wouldn't advertise except to
gloat. Lets face it though, anyone with the ability to use a search
engine and a mediocre knowldege of the os could manage this because
the info is so readily available via the net - very clever hack, but I
can think of much better things to do with spare time other than
hacking peoples servers, so obviously not that clever! ;-).

Duane, I'm glad for your feedback, I noticed your name all over the
newsgroups, expecially with articles relating to similar issues to
this. How come you know so much about this problem ?

Anyway, the Process Explorer utility was fantastic in resolving this,
I used Active Ports to get the process ID of the instance of svchost
that was utilising port 80, I then used Process Explorer to delve into
where the svchost was launched from.

The dodgy file turned out to be hidden within
c:\winnt\system32\wbem\bad\usr32\backup - the folders were set to
hidden and permissions had been revoked to nothing, which explains why
I couldn't find the illegal copy of svchost.exe.

Anyway, with the right know how it all turned out to be easy enough to
remove, I just have to make sure there are no other illegal processes
running as I don't want to rebuild the server if I can avoid it, but I
also need to be able to trust it.

This has been a learning curve, but everyday's a school day in IT!
Thank you so much for you help guys - I hope this post helps any other
people with the same problem

All the best
Alastair
Anonymous
April 6, 2004 4:28:44 AM

Archived from groups: comp.security.firewalls (More info?)

> Duane - I hoped you'd reply as I noticed your name spread far and wide
> amongst the news groups, seemingly concentrating on this issue. You
> seem to know a hell of a lot about this, how come ?
>

Hello,

I am glad you found your problem. My knowledge comes from 30 years or so of
being down in the trenches with this stuff. :) 

I have worn many hats in the IT field. The key to any of this stuff is
keeping technically proficient. In addition to that, it's not what you know
but do you know how to go find the information when you need it and apply
it.

As anyone will tell you who has been around for awhile, none of this stuff
has really changed that much over the years. Basically, it's the same old
dance with a different song. <g>

Oh, and it starts with the O/S and everything else is secondary to it.
That's the one thing that was driven *home* to me when I first hit this NG
by the Top Guns. :) 

Duane :) 
Anonymous
April 6, 2004 8:04:00 PM

Archived from groups: comp.security.firewalls (More info?)

Great, thanks for the IIS info, I'll spend some serious time on this
one!

As for the processes, I guess after the fixing the original problem I
knew the answer really, the Active ports and Process Explorer utils
are fantastic - like you say, just a matter of using them as part of a
routine. The process auditing facility sounds ideal too, I've never
used it before but will definately review it as it sounds like an
essential feature for any MS Server system.

Thanks again for all your help and good luck with the MCSD.

Cheers
Alastair
Anonymous
April 7, 2004 4:51:27 AM

Archived from groups: comp.security.firewalls (More info?)

Now that you have it under control, keep it under control:
Use Blackice and anti-virus software and Boclean
Better still BoClean and AppsLock from Watchguard
Better still use ServerLock from Watchguard and Boclean. (No anti-virus
needed).

All of the above should still be behind some kind of firewall, even a cheap
Linksys with only NAT.

Ric Griffy


"Alastair Smith" <asmith@c-it.co.uk> wrote in message
news:a84041bd.0404051303.3fa56986@posting.google.com...
> Bluto <arf-arf@doubleclick.net> wrote in message
news:<2o6dnZbrkcHxrezdRVn-hQ@comcast.com>...
> > Alastair Smith wrote:
> >
> > > The technical details of the server are as follows: -
> > >
> > > Windows 2000 Small Business Server with SP4, Exchange 2000 SP3, IE6
> > > sp1 and all other Microsoft critical updates.
> > > McAfee Netshield.
> >
> > There are, reportedly, a number of zero-day exploits (no notice,
> > no patch) exploits in MS tools and OS being used by professional
> > black hats, especially in Russia. Obviously, this is hard to
> > verify. However, it's possible that there are some, and that
> > your script-kiddie got one (a pro hacker wouldn't advertise,
> > like yours has done) and used it on you.
> >
> > But, there's a general consensus, at least in the Windows AND
> > Linux using community that I'm part of, that anything with ActiveX
> > is NOT appropriate for exposure to the Internet. And, it
> > sounds like you may well have some ActiveX 'bits' showing in
> > public. If so, that may well be an approach you want to reconsider.
> > ActiveX was designed for convenience, not security.
> >
> > Also, web mail tools (including those running on Linux) have a
> > pretty spotty security record -- you may want to see how you
> > can lock down (and log) those tools further, once you are back
> > up and running.
>
>
> Hi,
>
> Thank you Bluto and Duane for your input on my problem.
>
> Bluto, you're absolutely right, a pro wouldn't advertise except to
> gloat. Lets face it though, anyone with the ability to use a search
> engine and a mediocre knowldege of the os could manage this because
> the info is so readily available via the net - very clever hack, but I
> can think of much better things to do with spare time other than
> hacking peoples servers, so obviously not that clever! ;-).
>
> Duane, I'm glad for your feedback, I noticed your name all over the
> newsgroups, expecially with articles relating to similar issues to
> this. How come you know so much about this problem ?
>
> Anyway, the Process Explorer utility was fantastic in resolving this,
> I used Active Ports to get the process ID of the instance of svchost
> that was utilising port 80, I then used Process Explorer to delve into
> where the svchost was launched from.
>
> The dodgy file turned out to be hidden within
> c:\winnt\system32\wbem\bad\usr32\backup - the folders were set to
> hidden and permissions had been revoked to nothing, which explains why
> I couldn't find the illegal copy of svchost.exe.
>
> Anyway, with the right know how it all turned out to be easy enough to
> remove, I just have to make sure there are no other illegal processes
> running as I don't want to rebuild the server if I can avoid it, but I
> also need to be able to trust it.
>
> This has been a learning curve, but everyday's a school day in IT!
> Thank you so much for you help guys - I hope this post helps any other
> people with the same problem
>
> All the best
> Alastair
>
Anonymous
April 26, 2004 10:27:00 AM

Archived from groups: comp.security.firewalls (More info?)

We had the same problem today (webserver hacked during the weekend)and
(thank you to all of you)we resolve the problem (as suggested)
deleting from registry the 2 service instances named TCP-IP (all upper
case) calling this service during the servers startup.

But we fear that it can happen again, did anyone's know if exist an
appropiate patch in order to fix the "security hole"?
Our server (WIN2000 SRV SP4) was patched last time 15 days ago with
all the patches avaible from "microsoft update" except for MS04-011
(we install it today, the server was been hacked during the last
week-end) but I'm not sure if this patch address the problem (the
first post is dated 04-04-2004).

If you may help...
many thanks in advance!

best regards

Walter Geromel
April 26, 2004 4:39:37 PM

Archived from groups: comp.security.firewalls (More info?)

We also noticed same problem this morning, and one of our web servers
had been hacked in the weekend. Thank to all of you we also have solved
the problem.

best regards

Simone G.



--
Six
------------------------------------------------------------------------
Posted via http://www.webservertalk.com
------------------------------------------------------------------------
View this thread: http://www.webservertalk.com/message171959.html
Anonymous
April 26, 2004 8:55:59 PM

Archived from groups: comp.security.firewalls (More info?)

"Walter Geromel" <waltger@usa.net> wrote in message
news:b47388b4.0404260527.580a9040@posting.google.com...
> We had the same problem today (webserver hacked during the weekend)and
> (thank you to all of you)we resolve the problem (as suggested)
> deleting from registry the 2 service instances named TCP-IP (all upper
> case) calling this service during the servers startup.
>
> But we fear that it can happen again, did anyone's know if exist an
> appropiate patch in order to fix the "security hole"?
> Our server (WIN2000 SRV SP4) was patched last time 15 days ago with
> all the patches avaible from "microsoft update" except for MS04-011
> (we install it today, the server was been hacked during the last
> week-end) but I'm not sure if this patch address the problem (the
> first post is dated 04-04-2004).
>

This is just MHO of course and it also depends on how secure you have the
machine to begin with too. But I think BlackIce's Application Control would
help prevent or would have helped you notice it of the top of the bat that
something was not right, since the machine is running 24/7 it appears.

The BlackIce Application Control would have logged the location of the
Trojan svchost.exe being executed as the offender would have had to replied
to the notification/response message of any new program element exe(s),
dll(s) or whatever that was introduced to the machine that tried to execute.
That's if the offender could even reply to the message.

Duane :) 
Anonymous
April 27, 2004 5:34:21 PM

Archived from groups: comp.security.firewalls (More info?)

This problem has generated a lot of interest, yet there still appears
to be no other info on this problem I can find either, I have had
another customer system hacked this week with a similar instance of
this and I am now determined to figure out how this got on to the
server - fortunately it was dead easy to fix after dealing with it the
first time!

This time it was on a Windows 2000 server running SP4 and McAfee, it's
only visibility on the web is via port 80 and FTP forwarded via a
router and I'm pretty sure a virus can be ruled out now, judging from
what many people have said the latest updates don't always help that
much apart from perhaps MS04-011, although I'd like to see this
running for a longer duration unhacked before I can be certain.

The hack leaves several source files on the server in the
'c:\winnt\system32\wbem' folder and isn't consistent as to what
executables it uses for the illegal services, possibly linked to
hackers updating this with newer revisions - this time it was in
'tskman.exe', it had also left a number of files such as a .dll under
the same filename, along with a carun.ocx file that started off with
jumbled text yet all lines started with a ; - after drilling down
through the file it had some valid lines at the bottom...

This hack uses the ServU ftp program and places it in this hidden
folder, both instances of this hack had a readme.txt file with several
clues as to what files had been left. From what I have found on
various hacking websites, the majority of which are Russian, I am
almost certain this problem is an exploit of various open ports, it
hints that it is sometimes there to hijack bandwidth for warez servers
but I could be wrong.

I plan to continue looking into this and will try and post an update
when I have more info.

Regards
Alastair
Anonymous
April 29, 2004 3:07:29 PM

Archived from groups: comp.security.firewalls (More info?)

This is a hack used by morons (good hackers) from IRC which use ftp to
share files.There are lots of them, from all over europe.
They dont have life, thay have computers instead.
The way it works is, it scan servers for open ftp ports and write
access to folders, then try install serv-u or similar ftp server which
replaces IIS. All this to use your internet conection to share files.
All good, but why the hek they have to ruin the web server on port 80 i
dont know. Not very smart, but...well



--
pink
------------------------------------------------------------------------
Posted via http://www.webservertalk.com
------------------------------------------------------------------------
View this thread: http://www.webservertalk.com/message171959.html
!