Advice request: Backdoor hack on Windows Small Business Server 200

From: Michael Friedman (MichaelFriedman_at_discussions.microsoft.com)
Date: 05/25/05 

Date: Wed, 25 May 2005 09:01:09 -0700

I recently experienced an invasion on my server and am having trouble
identifying the cause and means of removing the malicious software. I'll
explain my process of how I determined this to give you an idea of what's
going on.

First, I noticed I was running out of hard drive space on the C: drive. I
have a 19GB partition available using NTFS as my system drive. I didn't know
where the sudden jump from 15GB of free space to 500MB came from, so I
checked the folder properties of each root folder to get the amount of data
stored in each folder. It added up to about 4GB.

I deleted a bunch of temporary files and unnecessary information to get 15%
free so I could do a degfragment. While defragmenting, I noticed in the
status bar a series of file names that were not located anywhere on my
computer-- a series of very long file names with "MovieZ" and "MP3" and so on
in the middle. I realized someone has been using my server as a free storage
depot.

I have http and ftp services, but they are locked down. When I did a search
for a file or folder containing "MovieZ" it was not found.

Finally, I noticed a folder on my C: drive and E: drive (data drive) called
"System Volume Information". I was denied access to it. I realized that this
was the folder used for system restore points on Windows XP but I was running
SBS 2003 so the folder shouldn't be there. I added the administrator account
and found a single subfolder in this folder.

The subfolder was a very long file name with "control panel" then a long
GUID. Whenever I selected it, I got the control panel and control panel
elements. When I did a folder properties on "c:\system volume information" it
said I had 11GB of data in the folder, but I could not navigate to it.

Finally, I renamed the "control panel" & GUID folder to "temp" and the hack
was revealed: a long series of folders containing movies, mp3s, documents,
etc all in French. I deleted it all, including the "C:\system volume
information".

The following day, I checked again and saw that I was getting pounded on
network traffic but no sessions were open (I have a very small network) and
none of my remote folks were using FTP or Outlook Web Access. I used network
monitor to capture some data and found a single site from France and
something.br. I use a firewall and I used it to block those IP addresses. The
traffic stopped.

However, I noticed the "System Volume Information" was back, along with a
new 900MB of stuff. Clearly some app is still on my system that goes remote
and synchronizes somewhere. Norton Antivirus Corporate 8.0 does not see any
viruses. Adaware eliminated only 2 spam cookies.

I went to Microsoft's security site and downloaded the security analyzer
(which is great) and it exposed risks in my SQL Home Edition, SBS, Exchange,
and MSXML. I patched all of these late (very late) last night.

So, I believe I have a handle on the security and where the issue is
located, but am unable to determine what is causing the addition of the
"system volume info" folder and it's french junk. I'd like to be rid of it.

Anyone experiencing these issues or similar, advice is appreciated. Of
course, I will continue to search through the Trojan horse & backdoor hack
reports.

Thanks,
Michael

Relevant Pages

  • Re: Advice request: Backdoor hack on Windows Small Business Server
    ... > administrator groups on the server and avoid using admin powers for mundane ... > the security logs if you have enabled auditing of logon events and increased ... > the size of the security log to at least 10MB. ... Just download it and the pattern file to the same folder, ...
    (microsoft.public.windows.server.security)
  • Re: Email enable doc lib
    ... navigate to the public folder and send some posts with attachments to the ... Microsoft CSS Online Newsgroup Support ... I have disabled forms base Athentication from the default V.Smtp server ...
    (microsoft.public.windows.server.sbs)
  • Re: Lost Disk Space
    ... Microsoft MVP (Windows Security) ... My guess is that either your server was not close to being ... It might help if you go through each folder under the ... > below such as diruse that may be helpful in tracking down disk use. ...
    (microsoft.public.win2000.security)
  • XP client security
    ... I have a question concerning client security. ... the copier uses an older method of authentication ... so it is incapable of accessing a folder on our Windows Small Business Server ...
    (microsoft.public.security)
  • Re: Advice request: Backdoor hack on Windows Small Business Server 200
    ... administrator groups on the server and avoid using admin powers for mundane ... the size of the security log to at least 10MB. ... Just download it and the pattern file to the same folder, ...
    (microsoft.public.windows.server.security)