Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

server 2003, firewall attack, mIRC remotely installed


  • Please log in to reply
8 replies to this topic

#1 evilclemmy

evilclemmy

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 25 November 2009 - 09:12 PM

I am running server 2003 SP2 with clam AV, to serve web pages on port 80, and email using smartermail by smarter tools on port 25, and a virtual smtp server for email on port 55525, and lastly VNC for admin. There are 2 NICs in the box; 1 for external traffic and 1 for internal. I have been attacked twice. I was notified of the first attack when web pages became unavailable. I logged onto the machine using VNC and could not. I went to the machine and connected a monitor. I found that mIRC was running and making repeated attempts to log on to hackmex.net using nickname ghost. I could not kill the process. I looked at the windows firewall and found it full of modifications including the addition of mIRC, Remote desktop, and several unrecognized ports. I rebooted the machine and found that 2 command boxes flashed on the screen and mIRC started up again.

Rather than troubleshoot the problem I formatted the drive and reinstalled Server 2003. All passwords were changed. The reinstall included WINS, DNS, Active Directry, IIS, SMTP server, file server. I opened ports smartermail 25, DNS 53, IIS 80, SMTP 55525, and winVNC4.exe scope custom to a single internal IP that is my management machine. So far so good for 4 days. One week to the day I got paged at 2:00 AM because web pages were no longer visible. Went into work and looked at the machine and found that windows firewall had been modified. My custom ports were gone, and Remote desktop, configure your server, file and printer sharing, and UPnP framework were listed but not checked. On the advanced tab, my internal network checkbox was cleared. Before rebooting, I disabled logon scripts and rebooted the machine. After reboot, I looked at the firewall and my settings had returned. All is well for now.

Any ideas how the attacker gained access? How can I assure myself that I don't have a critter lurking in my machine? I have run CLAMAV; no suspicious software. Same goes for spyb ot Hijack this showed a runonce entry for

O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

I am not running terminal server on my network so I have backed up the registry and deleted the 4 entries I'm at my wits end and would appreciate any insight

BC AdBot (Login to Remove)

 


#2 evilclemmy

evilclemmy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 26 November 2009 - 12:28 AM

I have also just found that something keeps re-adding an outlook express directory. the process is process path \??\c:\windows\system32\winlogon.exe yes the ?? is intentional

#3 atterno

atterno

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 26 November 2009 - 12:53 AM

Dude, I have also faced hacker issues on numerous occasions.. Your permanent cure that I would advise is an IP change from your ISP and installing a hardware firewall in your premises. Please note that this is in addition to all the trouble shooting or re-installing tasks that you are going to perform to get your server back to normal.

#4 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:01:09 AM

Posted 26 November 2009 - 01:48 PM

I will forward you problem to someone more experienced
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,463 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:09 AM

Posted 27 November 2009 - 08:40 AM

Since you already firewalled off all non-essential ports for your services, then it's either a security issue with one of the installed products, so make sure you have all the latest updates. The other way could be a code problem. It is possible that there is some coding issue that is allowing a hacker to upload a file that gives them remote access. Have you checked your logs for unusual activity?

#6 evilclemmy

evilclemmy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 27 November 2009 - 06:38 PM

The computer that was attacked is physically secure. There are 3 of us with access to the boxes. The logs don't show anything unusual. The are repeated events 538, 576, 540 events every 5 minutes for machinename$ user. I believe this is normal. I did find a security log entry that I am not familiar with: Event ID 515

A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests.
Logon Process Name: CHAP

I did find that the IUSR_machine account properties Terminal Services Properties, the deny this user permissions to log on to any Terminal Server checkbox had been cleared and under the Remote Control tab, the enable remote control tab had been checked.

90 minutes prior to the web server going down, I found this entry listed 5 times

event ID 1003
Notification of policy change from LSA/SAM has been retried and failed. Error 4312 to save policy change for account S-1-5-21-956619237-3021118346-1700759653-2607 in the default GPO

the SID belongs to the IUSR_machine account

Any insight into the HKUS entries I deleted?

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,463 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:09 AM

Posted 27 November 2009 - 08:42 PM

This should give you some insight as to the RunOnce entries:

http://www.theshonkproject.com/index.php?o...46&Itemid=1

Not sure if they are anything to be concerned about. I see them in a lot of legitimate logs.

When I say logs, I don't mean the event viewer logs. I mean the IIS web site logs.

#8 evilclemmy

evilclemmy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 28 November 2009 - 07:41 PM

Looking through the IIS logs, I don't see anything but GET and the occasional spider. I've locked the machine down so tightly that it isn't communicating with the AD controller

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,463 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:09 AM

Posted 29 November 2009 - 08:53 AM

Typically, if are you continuously getting hacked it is one of the following three things:

1. Faulty code in the web site allowing a file to be uploaded and executed. This gives remote code execution ability.

2. Vulnerabilities in the software itself that you are using.

3. Or local access through the network or at keyboard.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users