Re: mysterious attack on Windows 2000 servers (Help needed)
From: Mark Strelecki, ACP (be6-507@nospam.strelecki.com)
Date: 09/15/02
- Next message: David Cross [MS]: "Re: CA server not authenticating a Cisco PIX 501"
- Previous message: Enkidu: "Re: Cannot Find Logon Server"
- In reply to: Manish Jain: "mysterious attack on Windows 2000 servers (Help needed)"
- Next in thread: karl [x y]: "Re: mysterious attack on Windows 2000 servers (Help needed)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: " Mark Strelecki, ACP" <be6-507@nospam.strelecki.com> Date: Sat, 14 Sep 2002 18:43:20 -0400
Are you installing the system on formatted partitions? That is, are you
wiping all drives clean when rebuilding the system or are you simply
reinstalling over the top of what remains after the "attacks"?
Are you doing the system rebuild with all system disconnected from all
networks?
Are you installing from known good media? NOT a CD copy, but an original MS
version?
Which security tools are you using to "harden" these systems? MS has a
couple tools - MBSA (Microsoft Baseline Security Analyzer) and HFNetChk, to
determine which patches are required and what configuration changes are
required to enable reasonable security for the systems.
What other security software is running? Updated anti-virus? Firewall (I see
ISA 2000 listed, but other than that)? Anti-Trojan?
Are you running any other server software than what you mentioned? IIS,
perhaps?
What local security do you have on these systems? Are they physically
isolated and secured or are they accessible by more than one or two trusted,
authorized persons?
Are all unnecessary services being turned off (like Telnet, or Remote
Registry Access, among others)?
Is the Guest account disabled?
Are all patches and updates applied before you attach to the network? And is
all security software installed and operating prior to network connection?
What security exists at the gateway systems in the other city? How secure
are those systems?
Let's talk about this some more. There must be an answer, as these attacks
are happening with far too great a frequency. I have my doubts as to the
degree of hardening applied, or the methods used to rebuild the systems.
Clean is best, and that means formatted drives from known clean boot media.
What else can you share with us?
Best wishes from rainy Atlanta, GA.
-- Mark Strelecki, ACP BE6.XP1097.020817 Atlanta, GA. - Computing and Programming Since 1975 I MAKE IT GO! © http://www.strelecki.com/links.html -------------------------------------- "I think the sole purpose of our inventions is to fill our needs to be mad at something." Paul Roussin, August, 2002 "Manish Jain" <manishjn@hotmail.com> wrote in message news:113d601c25c2a$22623b00$37ef2ecf@TKMSFTNGXA13... > Dear All > > From last few weeks my client is having mysterious attack > on his server. He is having 3 servers on his network and > all of them are running on Windows 2000 Server SP3. One > of the server is Domain Controller and another one is > Mail server running MS Exchange 2000 SP3 and the last one > is the firewall proxy server running MS ISA 2000. He is > connected to other branch offices through IPLC and VSAT > links. The internet gateway is at his head office in > another city. > > Now the real problem: > > On Aug 16, all his 3 servers got compromised and he found > that all the files from his boot/ system drive has been > deleted. When he rebooted his server he got the message > that NTKRNL32.exe is missing and his servers couldn't > reboot. This happen on all 3 servers. The system > administrator was not much aware of info sec security and > they reinstalled all 3 severs. > > Then the same incident happened again on 22 Aug and after > the incident they reinstalled the systems again. Then > they hired me to find out the cause of the problem and > fix it for future prevention. I started analyzing the > network traffic and checked all their system > configuration but I couldn't find any clue on this. Then > on 29th Aug all 3 servers got the same attack again and > all the files from the C:\ (which was the boot and the > system drive) got deleted. I got the snapshot of the > system and after analysis I found that the folder > structure was intact but most of the system critical > files got deleted. I found a batch file in c:\ > named "README.BAT". In this file a simple dos command was > written "del *.* /r/s/q". I thought that this will be a > worm and I started searching over the internet about > this. But I couldn't find anything over the internet > related to this kind of incident. Then I did the OS > hardening and updated the system with all latest patches. > I also created a empty file "readme.bat" in c:\ and I > removed all access for this file. > Unfortunately this didn't worked out and all the servers > again got deleted on 2nd Sep. This time the batch file > was not readme.bat but the same del command was written > in Autoexec.bat > > I installed the network packet capturing software also > running 24 hrs. I analyzed the packets but I couldn't > find anything. Then the incident happened again on 9 Sep > again and I have no clue what to do now. I have taken all > the precautions I can think of. At last I thought of > disabling the delete command and batch file executions > itself. so that I may stop this incident to happen again. > > I request everyone to please suggest me if you know how > can I stop this incident to happen and how to find out > how it is happening. Your help will be much appreciated. > Thanks in advance. > > Regards, > Manish Jain
- Next message: David Cross [MS]: "Re: CA server not authenticating a Cisco PIX 501"
- Previous message: Enkidu: "Re: Cannot Find Logon Server"
- In reply to: Manish Jain: "mysterious attack on Windows 2000 servers (Help needed)"
- Next in thread: karl [x y]: "Re: mysterious attack on Windows 2000 servers (Help needed)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
