Re: Our 2000 Server was compromised and it has all the security patches.

From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: 11/26/03

  • Next message: Karl Levinson [x y] mvp: "** READ THIS BEFORE POSTING - answers to frequently asked questions 2003.11.26" 
    Date: Wed, 26 Nov 2003 06:22:34 -0500

    I doubt that this is a new exploit. It's probably an old one.

    Why the heck is 1433 open at your firewall anyways? Is that necessary? Why
    is your sql server able to send anything out to the Internet on any port?
    Is everything being allowed outbound on every port? Might want to check
    whether your firewall is configured as securely as possible.

    In the US, local police and/or local FBI office might be interested if this
    is a company, although they often require proof of at least $2000 US in
    actual losses before handling a case, due to the frequency of this kind of
    attack. If that sounds unattractive or not feasible, investigate it
    yourself using the information below and/or posting to the Incidents mailing
    list at www.securityfocus.com It may be helpful if you post the results of
    the stuff run below when posting there:

    http://securityadmin.info/faq.asp#hacked
    http://securityadmin.info/faq.asp#re-secure
    http://securityadmin.info/faq.asp#harden

    You might run hfnetchk or Microsoft's free MBSA in hfnetchk mode to check
    for patches that weren't successfully installed. It happens. If you haven't
    already removed the files, inspection of where the connections to the server
    are coming from might establish who hacked it and maybe even how. Not sure
    these are related to your hack, but as a general rule you should make sure
    you're running URLScan from Microsoft on your web server, if it's running,
    and make sure the anonymous ftp user e.g. IUSR never has both read and write
    permissions to any one FTP folder, if the server had MS FTP services
    enabled.

    "Scott Carullo" <scott@softtech.net> wrote in message
    news:08d901c3b3b9$3d4fd6b0$a101280a@phx.gbl...
    > A client of mine has a Windows 2000 Server running that
    > was just compromised. Housecall (online scan) identified
    > HKTL_SFIND.A / BKDR_RCSERV.C & BKDR_IROFFER12.A as
    > actively running.
    >
    > After brief review it appears as though hacker utilities
    > such as serv-u ftp, sms.exe, scan1000.exe, winmgmt.exe,
    > sqlck.exe etc. were loaded and used for their benefit.
    >
    > We have/had the following services running that could
    > have been exploited: SQL std. port, Terminal services
    > admin mode, and inetpub svcs. I checked just to see if
    > there were new updates to windows etc. and there are not
    > any. This concerns me because we have other servers
    > running with the same configurations with all the
    > patches/updates etc which leads me to believe they are
    > also vulnerable.
    >
    > If anyone has any information as to who to contact, who
    > to provide information to about new exloits, how our
    > system may have been exploited etc please let me know.
    > We are preserving the hard drive for inspection if
    > necessary because we feel the system was compromised
    > beyond repair. Several system files look like they were
    > replaced with the hackers version and thats just from a
    > log file, there is no way to be sure. Also, the
    > scan1000.exe tools output was piped to a log file and
    > they were scanning for port 1433 on random ranges of IP's
    > (not ours) which leads me to believe that they probably
    > came in through SQL port if they are trying to find more.
    >
    > This may be a new SQL exploit. I ran this SELECT
    > SERVERPROPERTY('productversion'), SERVERPROPERTY
    > ('productlevel'), SERVERPROPERTY ('edition') and this is
    > what was retuned fyi: 8.00.760 / SP3 / Std. Edition
    >
    > Thanks,
    > Scott

  • Next message: Karl Levinson [x y] mvp: "** READ THIS BEFORE POSTING - answers to frequently asked questions 2003.11.26"

    Relevant Pages

    • Re: Microsoft FTP Server problem on W2K?
      ... I have technical responsibility for this FTP implementation, ... Since PASV voids PORT, the client side ... connect to the server from" isn't implied by the text of the RFC. ...
      (microsoft.public.inetserver.iis.security)
    • Re: Some questions
      ... > using my ftp software behind my router. ... > issued to server by the client. ... When PORT is used: ... > Can you give me a command line used in a browser to explain me what is the ...
      (comp.security.firewalls)
    • Re: Firewall and ftp service
      ... I'll say it again, FTP is eeeevul. ... > which redirects the traffic to my public ftp server. ... > should force the server to stay on port 21 for tha data connection, ... the client tells the server what port it will be ...
      (FreeBSD-Security)
    • Re: Firewall and ftp service
      ... FTP is eeeevul. ... >> which redirects the traffic to my public ftp server. ... > client connects to the server on port 21. ... the client tells the server what port it will be ...
      (FreeBSD-Security)
    • Re: ftp problem
      ... The remote end will have to have port 20 and 21 ... Check it with another ftp site to make sure. ... The remote FTP server is on a remote ... >> a client to be able to ftp out. ...
      (microsoft.public.windows.server.sbs)