Re: Server Comprimised

From: Lanwench [MVP - Exchange] (
Date: 07/21/04

Date: Wed, 21 Jul 2004 14:54:17 -0400

Bernie wrote:
> Laura,
> I agree with you on it not being "our server" anymore.
> As far as the standard reccomentation:
>> * Only install software and services that you need
> Only non- IIS needed app was Webtrends
>> * Disable any services that you're not using
> Did that
>> * Stay up-to-date on anti-virus signatures and security
> patches
> Did that- I check server patches once per week, and update
> AV defs every Thursday and Monday AM
>> * Use a software- or hardware-based firewall to limit who
> can connect to the machine, and what they can do once they
> get there
> I use Hardware Firewall, and have the IIS server isolated
> from the LAN by placing it on DMZ.
> This server also serves as my primary NS server, and also
> host DNS server, it's going to be a major task to
> completly rebuild and reconfigure the server, but
> something I agree with I need to do

I agree with Laura, too. I'd also consider putting IIS (or whatever
webserver you choose) on another dedicated box - don't run your DNS on it.
>> -----Original Message-----
>> This is a long-standing debate, but I am of the opinion that you
>> can't really trust a compromised server again unless you
> rebuild it again from the
>> ground up using known-good media. The difficulty lies in the fact
>> that once a bad guy gets their own software to run on your
>>'s NOT YOUR SERVER anymore. Even if you run every
>> Spyware and anti- virus scan imaginable, you can never be 100% sure
>> that you didn't miss something.
>> In terms of avoiding future compromises, standard hardening tactics
>> are in order:
>> * Only install software and services that you need
>> * Disable any services that you're not using
>> * Stay up-to-date on anti-virus signatures and security patches
>> * Use a software- or hardware-based firewall to limit who
> can connect to the machine, and what they can do once
> they get there
>> --
>> ******************************
>> Laura E. Hunter - MCSE, MCT, MVP
>> Replies to newsgroup only
>> "Bernie" <> wrote in message
>> news:156101c46f2e$9b2b9540$a301280a@phx.gbl...
>>> We have a IIS loaded on 2000 Server, this morning I logged
>>> onto the server (server is on DMZ) using administrator
>>> account and password. I then proceeded to install an
>>> application (trojan remover - Had a web visitor call into
>>> the company saying when he visited our website a Trojan
>>> attempted to install onto his PC) ), but I then got a
>>> message saying I was not logged on as administrator? I
>>> logged off (noticed that I only had "log of as
>>> administrator" option - no shutdown option under "shut
>>> down", I proceeded to log off, logged on again with same
>>> password.. still same results when trying to install. I
>>> went into computer admin to try view user accounts and got
>>> the message saying I was not logged on as administrator!
>>> I then used Run As command to install the TR.. I was
>>> prompted for administrator password, and got error message
>>> about wrong password! I then started entering in various
>>> words.. and whola.. "password" worked as the password, I
>>> installed Trojan remover. Logged off the server, entered
>>> in "password" as the password.. and I was logged onto the
>>> server, I proceeded to Computer admin, changed
>>> the "password" for administrator account and it
> worked, I
>>> was now logged on as administrator. I ran TR and it found
>>> wolfmd.bat in programs\startup. I have found that
>>> wolfmp.bat is a keyboard capture utility, I am right? I
>>> have also found that it could be related to Wolfenstein
>>> game servers? I removed wolfmp from startup. I have since
>>> found wolfmp.bat shortcut in \HKEY_USERS\S-1-5-21-
>>> 18....\console\wolfmp.bat
>>> I then installed Spybot, and it found DSO and Alexa.
>>> I guess where I am going with this is this;
>>> I keep my servers up to date with patches and AV
>>> protection at all times, and do not use easy to guess
>>> passwords.
>>> What else can I do, and what can I do to further
>>> investigate what was done?
>>> How would the Windows 2000 server let me log on
>>> as "administrator" user account with 2 different
>>> passwords? One with no rights, and one with full admin
>>> rights? This server used to be on our local Domain, I
>>> changed that when I came onboard.. could it have been
>>> using cached password from the old domain, and not using
>>> the local user account?
>>> How can I find out if I my IIS server is being used as
>>> game server?
>>> Hope this makes sense to you guys
>>> TIA - Bernie
>> .

Relevant Pages

  • Re: IIS Hack : Anyone explain cause...
    ... it looks like you cleaned up the server -- if you care about security, ... Microsoft tries and mostly succeeds to release patches PRIOR to ... weeks/months/years prior to exploitation. ... > protected rant as we all know that IIS and indeed lots of software has ...
  • Re: Security of IIS - Secure Intranet web site on SBS2003 box
    ... I guess a lot of those patches would be required anyway to ensure the HTTPS ... Because if IIS via HTTPS only is still not considered secure then surely the ... > to rebuild their server and return everything to normal. ...
  • Re: Open Ports....How to block them all....?
    ... > I keep it up to date with SP's and Patches but find that the server keeps ... Frequently this happens through an IIS ... Ways to secure your system are detailed at: ...
  • Re: Open Ports....How to block them all....?
    ... >> What can be done to secure this server so that this doesn't keep> happening? ... Frequently this happens through an IIS> vulnerability. ... Installing Serv-U software typically involves a> person having the ability to remotely run commands and install files on your> system, ... > Remember that security is not just patches but also proper configuration and> third party hardening tools. ...
  • [NT] Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise
    ... This patch eliminates a newly discovered vulnerability affecting Internet ... in IIS 4.0 and 5.0, and could likewise be used to overrun heap memory on ... allowing code to be run on the server. ... * Microsoft has long recommended disabling HTR functionality unless there ...