Re: Security Problem...

From: Greg (greg_68@hotmail.com)
Date: 02/10/03 

From: "Greg" <greg_68@hotmail.com>
Date: Mon, 10 Feb 2003 11:31:34 -0700

The text file that I found on my system is named 1.txt and I found it in my
c:\temp\ directory. This has happened before on other installations of
Windows XP that I've done locally and I had found the text (named somethings
else at the time) in c:\ and d:\.

I checked the IIS web server and FTP server logs and the only IP address is
mine. I have them both set to show full details (I set that a long time
ago).

As far as my Firewall logs, here's what's listed under connections:

Local Service Port Remote IP Address Remote Service Port
1027 localhost 4323,4321,4301
(and other 42xx and 43xx)
4328 (pop3 server) 110

those repeat. Under the firewall logs it shows a lot of:

TCP non-syn/non-ack packet on invalid connection. Packet has been dropped
Source IP address: 66.201.243.169
Destination IP address: desktop(68.2.207.254)
TCP Source Port: http(80)
TCP Destination Port: 9488
TCP Message Flags: 0x00000011

all from the same IP address.

Here's what "netstat -an | find /i "Listen" (as recommended by another
persons post) shows (I added 90 and 91 for the IIS web server, although I
only need one):

  Proto Local Address Foreign Address State
  TCP 0.0.0.0:80 0.0.0.0:0 LISTENING
  TCP 0.0.0.0:90 0.0.0.0:0 LISTENING
  TCP 0.0.0.0:91 0.0.0.0:0 LISTENING
  TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
  TCP 0.0.0.0:443 0.0.0.0:0 LISTENING
  TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
  TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
  TCP 0.0.0.0:1029 0.0.0.0:0 LISTENING
  TCP 0.0.0.0:1415 0.0.0.0:0 LISTENING
  TCP 0.0.0.0:3744 0.0.0.0:0 LISTENING
  TCP 0.0.0.0:4293 0.0.0.0:0 LISTENING
  TCP 0.0.0.0:4294 0.0.0.0:0 LISTENING
  TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING
  TCP 68.2.207.254:25 0.0.0.0:0 LISTENING
  TCP 68.2.207.254:139 0.0.0.0:0 LISTENING
  TCP 127.0.0.1:1027 0.0.0.0:0 LISTENING
  TCP 127.0.0.1:1030 0.0.0.0:0 LISTENING
  TCP 127.0.0.1:43958 0.0.0.0:0 LISTENING
  TCP 192.168.178.1:139 0.0.0.0:0 LISTENING
  TCP 192.168.255.1:139 0.0.0.0:0 LISTENING

here's established:
  TCP 68.2.207.254:4294 207.46.248.16:119 ESTABLISHED
  TCP 127.0.0.1:1027 127.0.0.1:4293 ESTABLISHED
  TCP 127.0.0.1:4293 127.0.0.1:1027 ESTABLISHED

Applications I have open are, Outlook, Outlook Express, and Borland Delphi.
I also have Microsoft SQL Server 2000 developer installed and MySQL 4. Both
services are currently disabled. And PostCast SMTP Server. And then of
course, Norton Personal Firewall and Norton Anti-Virus.

Thanks for the links, I'll take a look at them and make changes.

The odd thing about this is that it's happened to me over the last year or
so about 4 times. It didn't happen when I had a Linksys Router hooked up.
I no longer have it, so maybe I should just buy a new router and format. I
also never had this problem with Windows 2000 Professional. Only since
installing Windows XP. Maybe it's just a coincidence.

I was really hoping to find out exactly how this is happening to help
prevent it in the future and also warn others that I know about it.

"x y, mvp" <levinson_k@despammed.com> wrote in message
news:O$7YGdS0CHA.1624@TK2MSFTNGP10...
> You could probably tell us... where are you seeing those requests to
> download those files? Which log? Is there anything in your IIS web
server
> logs? What are you seeing in your firewall logs that is INCOMING to your
> computer, and what are the ports being used?
>
> A very typical scenario is for a hacker to use an IIS web service
> vulnerability where specially crafted URL requests are sent to the web
> server that cause your computer to try to download an FTP server, usually
> Serv-U FTP. There are probably other vectors of entry besides just IIS
www.
> If this is the case, you'll see all this on your web server logs, assuming
> logging is enabled.
>
> Besides enabling logging and monitoring the logs on your firewall and IIS
> services, the fix is to completely harden your computer like so:
>
> http://securityadmin.info/faq.htm#hacked
> http://securityadmin.info/faq.htm#ftpfolder
> http://securityadmin.info/faq.htm#iislogs2
> http://securityadmin.info/faq.htm#iislogs
> http://securityadmin.info/faq.htm#re-secure
> http://securityadmin.info/faq.htm#harden
>
> Once hackers are able to remotely execute code on your computer, as it
seems
> they are currently able to do, you have no clear way to be 100% certain
that
> there are not other back doors installed to allow continued remote access
to
> your system. Your choices are to format and reinstall everything
properly,
> or to try your best to remove what you can find and hope that's enough.
> Either choice might be acceptable depending on your need for security.
> Further instructions:
>
>
>
> "Greg" <greg_68@hotmail.com> wrote in message
> news:Or6XEDJ0CHA.1812@TK2MSFTNGP11...
> > I know those are the tools that would be used for making an FTP server.
> > What I want to know is how the text file is getting sent to me. Is it
> > getting sent through a flaw in IIS, or Windows, or what? The firewall
> > doesn't seem to know anything about it.
> >
> > I don't have an FTP server running (FTP with IIS is installed; but
> disabled
> > unless I use it to transfer files). That IP address isn't mine. I've
> > experienced this with ZoneAlarm, Norton Personal Firewall, and
Microsoft's
> > built-in firewall. I do have many years of network experience and
> normally
> > use hardware firewalls but this is my home computer so I wasn't going to
> buy
> > one.
> >
> >
> > > FTP is running at open 68.104.136.245 1415
> > > your machine is the ftp server the ftp you blocked are the tools you'd
> use
> > > if you wanted to ftp to another machine.
> > >
> > > Better get some network experience or you'll get hacked fast.
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7)
    ... > fairly tight(only allowing 4 ports in), but perhaps I could tighten it ... The host systems firewall rules govern the access to the jailed system. ... What connections does your server need to ... Perhaps there is a 0-day for your ftp server out there. ...
    (Incidents)
  • Re: Cannot host FTP site
    ... You also may need to whitelist your FTP server in the firewall. ... >> I only have Windows firewall working, and it prompts me for nothing. ...
    (microsoft.public.windowsxp.network_web)
  • RE: NASA Security Audit
    ... damage when the FTP server was compromised. ... Another firewall isolating the services you know will eventually ... Have the "bad" server off the main switch/hub. ... > do not reflect the views of Blue Cross Blue Shield of Florida, ...
    (Security-Basics)
  • Re: SonicWall --need recommendations, feedback + FTP Question
    ... > I'm considering replacing my software firewall ... Someone that I respect has recommended SonicWall. ... I need to run an FTP server behind the firewall. ...
    (comp.security.firewalls)
  • Re: Windows Server 2003 --- BlackIce
    ... > if their is an upgrade to the BlackIce Server Defender ... that we've installed and/or maintain and would never consider a firewall ... that runs on the web server for any of those installations. ... One last thing - don't cheap out on the Anti-virus software, ...
    (comp.security.firewalls)
Loading