Posted 25 November 2009 - 09:12 PM
I am running server 2003 SP2 with clam AV, to serve web pages on port 80, and email using smartermail by smarter tools on port 25, and a virtual smtp server for email on port 55525, and lastly VNC for admin. There are 2 NICs in the box; 1 for external traffic and 1 for internal. I have been attacked twice. I was notified of the first attack when web pages became unavailable. I logged onto the machine using VNC and could not. I went to the machine and connected a monitor. I found that mIRC was running and making repeated attempts to log on to hackmex.net using nickname ghost. I could not kill the process. I looked at the windows firewall and found it full of modifications including the addition of mIRC, Remote desktop, and several unrecognized ports. I rebooted the machine and found that 2 command boxes flashed on the screen and mIRC started up again.
Rather than troubleshoot the problem I formatted the drive and reinstalled Server 2003. All passwords were changed. The reinstall included WINS, DNS, Active Directry, IIS, SMTP server, file server. I opened ports smartermail 25, DNS 53, IIS 80, SMTP 55525, and winVNC4.exe scope custom to a single internal IP that is my management machine. So far so good for 4 days. One week to the day I got paged at 2:00 AM because web pages were no longer visible. Went into work and looked at the machine and found that windows firewall had been modified. My custom ports were gone, and Remote desktop, configure your server, file and printer sharing, and UPnP framework were listed but not checked. On the advanced tab, my internal network checkbox was cleared. Before rebooting, I disabled logon scripts and rebooted the machine. After reboot, I looked at the firewall and my settings had returned. All is well for now.
Any ideas how the attacker gained access? How can I assure myself that I don't have a critter lurking in my machine? I have run CLAMAV; no suspicious software. Same goes for spyb ot Hijack this showed a runonce entry for
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
I am not running terminal server on my network so I have backed up the registry and deleted the 4 entries I'm at my wits end and would appreciate any insight