Re: Advice request: Backdoor hack on Windows Small Business Server

From: Michael Friedman (MichaelFriedman_at_discussions.microsoft.com)
Date: 05/26/05 

Date: Thu, 26 May 2005 07:15:07 -0700

Roger,

Thanks for the assistance... I will check out the tool you recommended.

To further update: this morning I found a new folder, hung off a share on my
server:

"RECYCLED" and in it, the same control panel mask. In the first folder, I
discovered the following files:

admDll.dll 88k
audio.exe 236k
nc.bat 1k
ntk-tpf.r00 14,649k
raddrv.dll 29k
radmin.bat 1k
radmin.reg 1k
serial.txt 1k

The audio.exe process was running and once I killed it was able to delete
the files and folders. Doing some initial searching, this remote admin setup
is similar to W32.Remadmin as listed in Symantec Security Response. I haven't
done a virus scan in safe mode, and hopefully that will find the problems,
although I will continue to research -- a good learning experience for a
novice admin.

Thanks,
Michael

"Roger Abell" wrote:

> Interesting tale Michael. The good part is that it seems the exploit is
> one that is not deeply hidden, and that as they did want to use your system
> they likely were not ruthless in terms of damage to it.
> Assuming that what is used is not deeply rooted and stealthed you could
> start with basic tools, like TcpView from www.sysinternals.com which
> would help you to identify the binaries that have bound to network ports
> (as you know one thing about the exploit you have suffered, that it must
> be allowing network access). If you are familiar with what services are
> normal, you could check the shown services for reasonability. While
> at sysinternals you should pick up the tools they also have available that
> 1) will list out all common places an app can be set to start, and 2) the
> rootkit detection tools that will help with discovery of some rootkits.
>
> I have no doubt others will help you out by mentioning other avenues and
> tools from different sources, but the above would give you some initial
> sanity check info.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Michael Friedman" <MichaelFriedman@discussions.microsoft.com> wrote in
> message news:87917263-A1B1-436D-AC8C-A591B925328C@microsoft.com...
> > I recently experienced an invasion on my server and am having trouble
> > identifying the cause and means of removing the malicious software. I'll
> > explain my process of how I determined this to give you an idea of what's
> > going on.
> >
> > First, I noticed I was running out of hard drive space on the C: drive. I
> > have a 19GB partition available using NTFS as my system drive. I didn't
> know
> > where the sudden jump from 15GB of free space to 500MB came from, so I
> > checked the folder properties of each root folder to get the amount of
> data
> > stored in each folder. It added up to about 4GB.
> >
> > I deleted a bunch of temporary files and unnecessary information to get
> 15%
> > free so I could do a degfragment. While defragmenting, I noticed in the
> > status bar a series of file names that were not located anywhere on my
> > computer-- a series of very long file names with "MovieZ" and "MP3" and so
> on
> > in the middle. I realized someone has been using my server as a free
> storage
> > depot.
> >
> > I have http and ftp services, but they are locked down. When I did a
> search
> > for a file or folder containing "MovieZ" it was not found.
> >
> > Finally, I noticed a folder on my C: drive and E: drive (data drive)
> called
> > "System Volume Information". I was denied access to it. I realized that
> this
> > was the folder used for system restore points on Windows XP but I was
> running
> > SBS 2003 so the folder shouldn't be there. I added the administrator
> account
> > and found a single subfolder in this folder.
> >
> > The subfolder was a very long file name with "control panel" then a long
> > GUID. Whenever I selected it, I got the control panel and control panel
> > elements. When I did a folder properties on "c:\system volume information"
> it
> > said I had 11GB of data in the folder, but I could not navigate to it.
> >
> > Finally, I renamed the "control panel" & GUID folder to "temp" and the
> hack
> > was revealed: a long series of folders containing movies, mp3s, documents,
> > etc all in French. I deleted it all, including the "C:\system volume
> > information".
> >
> > The following day, I checked again and saw that I was getting pounded on
> > network traffic but no sessions were open (I have a very small network)
> and
> > none of my remote folks were using FTP or Outlook Web Access. I used
> network
> > monitor to capture some data and found a single site from France and
> > something.br. I use a firewall and I used it to block those IP addresses.
> The
> > traffic stopped.
> >
> > However, I noticed the "System Volume Information" was back, along with a
> > new 900MB of stuff. Clearly some app is still on my system that goes
> remote
> > and synchronizes somewhere. Norton Antivirus Corporate 8.0 does not see
> any
> > viruses. Adaware eliminated only 2 spam cookies.
> >
> > I went to Microsoft's security site and downloaded the security analyzer
> > (which is great) and it exposed risks in my SQL Home Edition, SBS,
> Exchange,
> > and MSXML. I patched all of these late (very late) last night.
> >
> > So, I believe I have a handle on the security and where the issue is
> > located, but am unable to determine what is causing the addition of the
> > "system volume info" folder and it's french junk. I'd like to be rid of
> it.
> >
> > Anyone experiencing these issues or similar, advice is appreciated. Of
> > course, I will continue to search through the Trojan horse & backdoor hack
> > reports.
> >
> > Thanks,
> > Michael
>
>
>

Relevant Pages

  • Re: User Conectivity at Home
    ... systems are all secured via profiles and passwords. ... having a shared folder setup for "everyone" is a breach of such security. ... If your network is behind a NAT router, then your file sharing is more or less ... A designated folder for sharing to "Everyone" isn't a breach of security, ...
    (microsoft.public.windowsxp.network_web)
  • LAN Problem
    ... Go to Local Security Policy, +Local Policies, Security ... Go to Shared Docucuments (or any folder you want to ... >and was able to access shared folders and printers from ... >and that I may not be have permission to use the network ...
    (microsoft.public.windowsxp.newusers)
  • Re: Make a folder private
    ... >Your Computer Pro is not much of a pro at all I'm ... >absence of a network has no bearing on whether or not ... >then folder options. ... >You then get a security tab available in a folder's ...
    (microsoft.public.windowsxp.security_admin)
  • Re: User Conectivity at Home
    ... systems are all secured via profiles and passwords. ... having a shared folder setup for "everyone" is a breach of such security. ... If your network is behind a NAT router, then your file sharing is more or less ... A designated folder for sharing to "Everyone" isn't a breach of security, ...
    (microsoft.public.windowsxp.network_web)
  • Re: << Small Bus Server news of the week>>
    ... > will pick up the mail that is in the Incoming Mail folder. ... > A Chinese security group has released sample ... > Cyber law expert Pavan Duggal feels India's ... > A California blood bank has retrieved a stolen ...
    (microsoft.public.backoffice.smallbiz)