Re: Advice request: Backdoor hack on Windows Small Business Server 200

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 05/26/05 

Date: Thu, 26 May 2005 16:12:07 -0500

Roger gave you great advice to get you started. If you have not done such be
sure to run the IISLockdown/Urlscan tool on your server to further secure
IIS. The tools he mentioned and Process Explorer from SysInternals should
give you a good idea what is going on. Unfortunately the damage may already
be done and a fresh install may be your best option along with more
preventative steps before you attach to the internet again though it never
hurts to try and discover what is going on and how it happened as a learning
experience. Make sure that you are using strong passwords for your
administrator accounts and double check the membership of all the
administrator groups on the server and avoid using admin powers for mundane
tasks and browsing the internet/email.

Firewall logs could also have alerted you to suspicious activity as could
the security logs if you have enabled auditing of logon events and increased
the size of the security log to at least 10MB. Trend Micro also makes a free
tool to scan for and remove malware called Sysclean available at the links
below. Just download it and the pattern file to the same folder, unzip the
pattern file and then execute Sysclean. --- Steve

http://www.trendmicro.com/download/dcs.asp
http://www.trendmicro.com/download/pattern.asp

"Michael Friedman" <MichaelFriedman@discussions.microsoft.com> wrote in
message news:87917263-A1B1-436D-AC8C-A591B925328C@microsoft.com...
>I recently experienced an invasion on my server and am having trouble
> identifying the cause and means of removing the malicious software. I'll
> explain my process of how I determined this to give you an idea of what's
> going on.
>
> First, I noticed I was running out of hard drive space on the C: drive. I
> have a 19GB partition available using NTFS as my system drive. I didn't
> know
> where the sudden jump from 15GB of free space to 500MB came from, so I
> checked the folder properties of each root folder to get the amount of
> data
> stored in each folder. It added up to about 4GB.
>
> I deleted a bunch of temporary files and unnecessary information to get
> 15%
> free so I could do a degfragment. While defragmenting, I noticed in the
> status bar a series of file names that were not located anywhere on my
> computer-- a series of very long file names with "MovieZ" and "MP3" and so
> on
> in the middle. I realized someone has been using my server as a free
> storage
> depot.
>
> I have http and ftp services, but they are locked down. When I did a
> search
> for a file or folder containing "MovieZ" it was not found.
>
> Finally, I noticed a folder on my C: drive and E: drive (data drive)
> called
> "System Volume Information". I was denied access to it. I realized that
> this
> was the folder used for system restore points on Windows XP but I was
> running
> SBS 2003 so the folder shouldn't be there. I added the administrator
> account
> and found a single subfolder in this folder.
>
> The subfolder was a very long file name with "control panel" then a long
> GUID. Whenever I selected it, I got the control panel and control panel
> elements. When I did a folder properties on "c:\system volume information"
> it
> said I had 11GB of data in the folder, but I could not navigate to it.
>
> Finally, I renamed the "control panel" & GUID folder to "temp" and the
> hack
> was revealed: a long series of folders containing movies, mp3s, documents,
> etc all in French. I deleted it all, including the "C:\system volume
> information".
>
> The following day, I checked again and saw that I was getting pounded on
> network traffic but no sessions were open (I have a very small network)
> and
> none of my remote folks were using FTP or Outlook Web Access. I used
> network
> monitor to capture some data and found a single site from France and
> something.br. I use a firewall and I used it to block those IP addresses.
> The
> traffic stopped.
>
> However, I noticed the "System Volume Information" was back, along with a
> new 900MB of stuff. Clearly some app is still on my system that goes
> remote
> and synchronizes somewhere. Norton Antivirus Corporate 8.0 does not see
> any
> viruses. Adaware eliminated only 2 spam cookies.
>
> I went to Microsoft's security site and downloaded the security analyzer
> (which is great) and it exposed risks in my SQL Home Edition, SBS,
> Exchange,
> and MSXML. I patched all of these late (very late) last night.
>
> So, I believe I have a handle on the security and where the issue is
> located, but am unable to determine what is causing the addition of the
> "system volume info" folder and it's french junk. I'd like to be rid of
> it.
>
> Anyone experiencing these issues or similar, advice is appreciated. Of
> course, I will continue to search through the Trojan horse & backdoor hack
> reports.
>
> Thanks,
> Michael

Quantcast