Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Server 2008 (Port Scanning Network)


  • Please log in to reply
18 replies to this topic

#1 aznspy256

aznspy256

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NYC
  • Local time:11:29 AM

Posted 31 March 2014 - 12:21 PM

Hi guys. I need some help on my server because I suspect a rootkit on the server. Looking through the firewall logs of the workstations on the network, it says that the servers ip is port scanning it. I have already  used multiple scanner and received assistance from a bleeping computer member but we were not able to locate it.

Here is the past post on it before:

 

http://www.bleepingcomputer.com/forums/t/528037/rootkit-on-windows-server-2008-port-scanning-network/page-2

 

Thank you for your time for looking at it.

 

 

Mod Edit:  Modified title to eliminate confusion and reflect actual issues - Hamluis.


Edited by hamluis, 17 May 2014 - 11:28 AM.


BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:08:29 AM

Posted 07 April 2014 - 01:25 PM

I am attempting to follow up on it now and see if I get get someone to take a look at it.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 bling76

bling76

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 09 April 2014 - 06:12 PM

What port is it trying to connect to on the workstations?



#4 technonymous

technonymous

  • Members
  • 2,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:29 AM

Posted 10 April 2014 - 05:02 AM

Ok I have been sending private messages as the first thread was locked. I guess we can continue here. I basically gave info on how to log. The below command will log established connections every 10 seconds and output it to a netstat.txt file till cmd.exe is closed or ctrl+c is used. It outputs the IP/TCP info, PID, and file being used.

 

Run CMD.exe as administrator.

 

Run command netstat -bo 10 > c:\netstat.txt

 

This will be helpful too to log what services are running.

Run command tasklist /svc > c:\tasklist



#5 aznspy256

aznspy256
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NYC
  • Local time:11:29 AM

Posted 11 April 2014 - 10:57 AM

Here is the firewall logs for the computers getting port scanned.

Attached Files



#6 technonymous

technonymous

  • Members
  • 2,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:29 AM

Posted 12 April 2014 - 05:17 AM

From those logs two IP's coming from Russia. This looks like some hacker is mapping and exploiting a hole in your network. What machine is 192.168.1.208?? You seriously lneed to get someone there to take care of this and go over the router, servers, services, client machines etc.

 

81.9.105.78 to 192.168.1.11:28858 UDP Detected unexpected data in protocol

178.209.225.60 to 192.168.1.8: 26303 UDP Detected unexpected data in protocol

Detected Port Scanning attack  192.168.1.208:5355  to  192.168.1.20:64993  UDP  



#7 aznspy256

aznspy256
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NYC
  • Local time:11:29 AM

Posted 14 April 2014 - 10:13 AM

192.168.1.208 is the server. that's why I think the server is infected. Technically I'm suppose to take care of this situation that is why I need your guidance.



#8 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:01:29 AM

Posted 14 April 2014 - 11:36 PM

Your server is infact scanning each machine on you network looking to populate malware, what type of server isit Windows 2008 R2? and is it a domain controller is it runnign which services?

Can you run these commands in an elevated command prompt and post the results. Do you also have ESET AntiVirus along witht he firewall?

 

get Roles from server

servermanagercmd -query | find /i "[X]" | sort >> C:\Roles.txt

 

get Services name, startup type, state pathname etc

wmic service get name, pathname, startmode, state | sort >> C:\Services.txt


#9 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:01:29 AM

Posted 15 April 2014 - 12:49 AM

On closer inspection, i think its just a broadcast address used for LLMNR.

Running this command in Dos prompt, it will show you the service port it uses. Basically  local link multicast. Have you got network discovery on and also computer browser set to disable as a service?

llmnr            5355/tcp                           #LLMNR
llmnr            5355/udp                           #LLMNR

goto services.msc in Run and then stop the service "Link-Layer Topology Discovery Mapper" if its running on the server. You should also see these in the firewall trules zone under File and Print Sharing. hoep this helps.

type C:\Windows\System32\drivers\etc\services | find /i "5355"

Edited by JohnnyJammer, 15 April 2014 - 12:55 AM.


#10 technonymous

technonymous

  • Members
  • 2,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:29 AM

Posted 16 April 2014 - 05:58 AM

Looks like sql server, quickbooks, hamachi-2 vpn in the mix. With default ports and things running like that you're going to get lots of incoming hacker probes hitting the router. Typical ports used depending on the network and server cluster management etc.

 

Some links for reference....

http://msdn.microsoft.com/en-us/library/cc646023%28v=sql.120%29.aspx

http://technet.microsoft.com/en-us/library/cc646023.aspx

http://learnersstreak.wordpress.com/2011/04/27/ports-used-by-sql-server/



#11 aznspy256

aznspy256
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NYC
  • Local time:11:29 AM

Posted 16 April 2014 - 04:31 PM

@JohnnyJammer

This is a Windows Server 2008 R2 machine. I took a screenshot of the service and the funny thing is that the service is set on manual and is not on.

 

Also, the company does have the whole ESET suite on each machine (antivirus and firewall).

 

I'm sorry for the slow response since I only have work MWF. But I really appreciate the help and feedback you guys are posting.

Attached Files



#12 technonymous

technonymous

  • Members
  • 2,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:29 AM

Posted 16 April 2014 - 05:57 PM

You should change the SQL listener port 1433 and 1434 to something else on the sql server and router. Services looks fine.

 

Edit: Also check in the router under security tab block annyomous requests, filter multicast, filter ident port 113, uncheck NAT redirection. In admin tab disable UPNP.


Edited by technonymous, 16 April 2014 - 06:05 PM.


#13 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:01:29 AM

Posted 16 April 2014 - 08:13 PM

Everything looks good from here, nothing jumping out at me anyway. You could always fire up a packet sniffer and sit there and monitor the network for a while or use process explorer from sysinternals to do more digging.



#14 Sneakycyber

Sneakycyber

    Network Engineer


  • BC Advisor
  • 6,130 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:11:29 AM

Posted 17 April 2014 - 05:03 PM

Sorry for the delay in responding, JohnnyJammer and Technonymous seem to have a good grasp on the problem. What kind of Network firewall/router/ASA are you using if any infront of your server/network?


Edited by Sneakycyber, 17 April 2014 - 05:03 PM.

Chad Mockensturm 
Network Engineer
Certified CompTia Network +, A +

#15 aznspy256

aznspy256
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NYC
  • Local time:11:29 AM

Posted 21 April 2014 - 12:46 PM

@Sneakycyber

All the computers and the server is using ESET Firewall and Antivirus. The router is the standard Verizon Fios router/modem. There is no ASA. 

 

@JohnnyJammer

There still are port scans but alot less frequently. Honestly, I don't feel satisfied. Do you know how to log the info from process explorer from sysinternals. I have it on the screen checking each process with virustotal and comparing the official hash. I want to catch the process when it is in motion but can't stare at the screen 24/7.

 

@technonymous 

I know running all these apps will attract unwanted attention but I don't think I will be changing ports for sql. I'm also looking at the router logs and there isn't any scan or attacks whatsoever detected.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users