Re: Server Comprimised

From: Lanwench [MVP - Exchange] (lanwench_at_heybuddy.donotsendme.unsolicitedmail.atyahoo.com)
Date: 07/21/04


Date: Wed, 21 Jul 2004 14:54:17 -0400

Bernie wrote:
> Laura,
>
> I agree with you on it not being "our server" anymore.
>
> As far as the standard reccomentation:
>> * Only install software and services that you need
> Only non- IIS needed app was Webtrends
>> * Disable any services that you're not using
> Did that
>> * Stay up-to-date on anti-virus signatures and security
> patches
> Did that- I check server patches once per week, and update
> AV defs every Thursday and Monday AM
>> * Use a software- or hardware-based firewall to limit who
> can connect to the machine, and what they can do once they
> get there
> I use Hardware Firewall, and have the IIS server isolated
> from the LAN by placing it on DMZ.
>
> This server also serves as my primary NS server, and also
> host DNS server, it's going to be a major task to
> completly rebuild and reconfigure the server, but
> something I agree with I need to do

I agree with Laura, too. I'd also consider putting IIS (or whatever
webserver you choose) on another dedicated box - don't run your DNS on it.
>
>
>> -----Original Message-----
>> This is a long-standing debate, but I am of the opinion that you
>> can't really trust a compromised server again unless you
> rebuild it again from the
>> ground up using known-good media. The difficulty lies in the fact
>> that once a bad guy gets their own software to run on your
>> server...it's NOT YOUR SERVER anymore. Even if you run every
>> Spyware and anti- virus scan imaginable, you can never be 100% sure
>> that you didn't miss something.
>>
>> In terms of avoiding future compromises, standard hardening tactics
>> are in order:
>>
>> * Only install software and services that you need
>> * Disable any services that you're not using
>> * Stay up-to-date on anti-virus signatures and security patches
>> * Use a software- or hardware-based firewall to limit who
> can connect to the machine, and what they can do once
> they get there
>
>>
>> --
>> ******************************
>> Laura E. Hunter - MCSE, MCT, MVP
>> Replies to newsgroup only
>>
>>
>> "Bernie" <anonymous@discussions.microsoft.com> wrote in message
>> news:156101c46f2e$9b2b9540$a301280a@phx.gbl...
>>> We have a IIS loaded on 2000 Server, this morning I logged
>>> onto the server (server is on DMZ) using administrator
>>> account and password. I then proceeded to install an
>>> application (trojan remover - Had a web visitor call into
>>> the company saying when he visited our website a Trojan
>>> attempted to install onto his PC) ), but I then got a
>>> message saying I was not logged on as administrator? I
>>> logged off (noticed that I only had "log of as
>>> administrator" option - no shutdown option under "shut
>>> down", I proceeded to log off, logged on again with same
>>> password.. still same results when trying to install. I
>>> went into computer admin to try view user accounts and got
>>> the message saying I was not logged on as administrator!
>>>
>>> I then used Run As command to install the TR.. I was
>>> prompted for administrator password, and got error message
>>> about wrong password! I then started entering in various
>>> words.. and whola.. "password" worked as the password, I
>>> installed Trojan remover. Logged off the server, entered
>>> in "password" as the password.. and I was logged onto the
>>> server, I proceeded to Computer admin, changed
>>> the "password" for administrator account and it
> worked, I
>>> was now logged on as administrator. I ran TR and it found
>>> wolfmd.bat in programs\startup. I have found that
>>> wolfmp.bat is a keyboard capture utility, I am right? I
>>> have also found that it could be related to Wolfenstein
>>> game servers? I removed wolfmp from startup. I have since
>>> found wolfmp.bat shortcut in \HKEY_USERS\S-1-5-21-
>>> 18....\console\wolfmp.bat
>>>
>>> I then installed Spybot, and it found DSO and Alexa.
>>>
>>> I guess where I am going with this is this;
>>> I keep my servers up to date with patches and AV
>>> protection at all times, and do not use easy to guess
>>> passwords.
>>> What else can I do, and what can I do to further
>>> investigate what was done?
>>> How would the Windows 2000 server let me log on
>>> as "administrator" user account with 2 different
>>> passwords? One with no rights, and one with full admin
>>> rights? This server used to be on our local Domain, I
>>> changed that when I came onboard.. could it have been
>>> using cached password from the old domain, and not using
>>> the local user account?
>>> How can I find out if I my IIS server is being used as
>>> game server?
>>>
>>> Hope this makes sense to you guys
>>>
>>> TIA - Bernie
>>>
>>
>>
>> .