Re: Advice request: Backdoor hack on Windows Small Business Server 200
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 05/26/05
- Next message: Roger Abell: "Re: Dear Microsoft... Rebooting servers id NOT security.."
- Previous message: Jeff Cochran: "Re: Dear Microsoft... Rebooting servers id NOT security.."
- In reply to: Michael Friedman: "Advice request: Backdoor hack on Windows Small Business Server 200"
- Next in thread: Michael Friedman: "Re: Advice request: Backdoor hack on Windows Small Business Server"
- Reply: Michael Friedman: "Re: Advice request: Backdoor hack on Windows Small Business Server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 25 May 2005 23:01:17 -0700
Interesting tale Michael. The good part is that it seems the exploit is
one that is not deeply hidden, and that as they did want to use your system
they likely were not ruthless in terms of damage to it.
Assuming that what is used is not deeply rooted and stealthed you could
start with basic tools, like TcpView from www.sysinternals.com which
would help you to identify the binaries that have bound to network ports
(as you know one thing about the exploit you have suffered, that it must
be allowing network access). If you are familiar with what services are
normal, you could check the shown services for reasonability. While
at sysinternals you should pick up the tools they also have available that
1) will list out all common places an app can be set to start, and 2) the
rootkit detection tools that will help with discovery of some rootkits.
I have no doubt others will help you out by mentioning other avenues and
tools from different sources, but the above would give you some initial
sanity check info.
-- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA "Michael Friedman" <MichaelFriedman@discussions.microsoft.com> wrote in message news:87917263-A1B1-436D-AC8C-A591B925328C@microsoft.com... > I recently experienced an invasion on my server and am having trouble > identifying the cause and means of removing the malicious software. I'll > explain my process of how I determined this to give you an idea of what's > going on. > > First, I noticed I was running out of hard drive space on the C: drive. I > have a 19GB partition available using NTFS as my system drive. I didn't know > where the sudden jump from 15GB of free space to 500MB came from, so I > checked the folder properties of each root folder to get the amount of data > stored in each folder. It added up to about 4GB. > > I deleted a bunch of temporary files and unnecessary information to get 15% > free so I could do a degfragment. While defragmenting, I noticed in the > status bar a series of file names that were not located anywhere on my > computer-- a series of very long file names with "MovieZ" and "MP3" and so on > in the middle. I realized someone has been using my server as a free storage > depot. > > I have http and ftp services, but they are locked down. When I did a search > for a file or folder containing "MovieZ" it was not found. > > Finally, I noticed a folder on my C: drive and E: drive (data drive) called > "System Volume Information". I was denied access to it. I realized that this > was the folder used for system restore points on Windows XP but I was running > SBS 2003 so the folder shouldn't be there. I added the administrator account > and found a single subfolder in this folder. > > The subfolder was a very long file name with "control panel" then a long > GUID. Whenever I selected it, I got the control panel and control panel > elements. When I did a folder properties on "c:\system volume information" it > said I had 11GB of data in the folder, but I could not navigate to it. > > Finally, I renamed the "control panel" & GUID folder to "temp" and the hack > was revealed: a long series of folders containing movies, mp3s, documents, > etc all in French. I deleted it all, including the "C:\system volume > information". > > The following day, I checked again and saw that I was getting pounded on > network traffic but no sessions were open (I have a very small network) and > none of my remote folks were using FTP or Outlook Web Access. I used network > monitor to capture some data and found a single site from France and > something.br. I use a firewall and I used it to block those IP addresses. The > traffic stopped. > > However, I noticed the "System Volume Information" was back, along with a > new 900MB of stuff. Clearly some app is still on my system that goes remote > and synchronizes somewhere. Norton Antivirus Corporate 8.0 does not see any > viruses. Adaware eliminated only 2 spam cookies. > > I went to Microsoft's security site and downloaded the security analyzer > (which is great) and it exposed risks in my SQL Home Edition, SBS, Exchange, > and MSXML. I patched all of these late (very late) last night. > > So, I believe I have a handle on the security and where the issue is > located, but am unable to determine what is causing the addition of the > "system volume info" folder and it's french junk. I'd like to be rid of it. > > Anyone experiencing these issues or similar, advice is appreciated. Of > course, I will continue to search through the Trojan horse & backdoor hack > reports. > > Thanks, > Michael
- Next message: Roger Abell: "Re: Dear Microsoft... Rebooting servers id NOT security.."
- Previous message: Jeff Cochran: "Re: Dear Microsoft... Rebooting servers id NOT security.."
- In reply to: Michael Friedman: "Advice request: Backdoor hack on Windows Small Business Server 200"
- Next in thread: Michael Friedman: "Re: Advice request: Backdoor hack on Windows Small Business Server"
- Reply: Michael Friedman: "Re: Advice request: Backdoor hack on Windows Small Business Server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
