Re: Advice request: Backdoor hack on Windows Small Business Server 200

From: Karl Levinson, mvp (levinson_k_at_despammed.com)
Date: 05/28/05 

Date: Sat, 28 May 2005 09:18:33 -0400

There is a lot of information on these sorts of very common hacks, if you
search for "ftp tagging" or "pubstro."

Although your firewall seems to be blocking people from downloading files,
it sounds like 1) your server could still be vulnerable with an open hole,
2) attackers may still be remotely managing your server and 3) it is
probably still running hidden FTP software somewhere, perhaps hidden by a
root kit or perhaps that you just haven't found yet. [The fact that the FTP
data files were visible to you makes me think that perhaps no root kit is in
use.]

The vulnerabilities you fixed are not the ones I would think let this to
occur, although hopefully MBSA has made sure you now have all the Microsoft
security patches installed. If an easily guessable password, insecure
configuration setting or an unpatched program that MBSA does not check for
was used, then there could still be a problem. If there were other missing
patches that you installed and didn't list here, then it could be that you
did find and fix the problem.

You say that your FTP service is locked down, but do be sure that the
anonymous user [such as IUSR] cannot both write and read to any one FTP
folder. There should be a read-only download folder and/or a write-only
upload folder.

If you still haven't found the hidden FTP service [if there is one],
downloading Hijack This and posting the logs to the Hijack This web forum
may be helpful. Filemon from www.sysinternals.com may be helpful as well.

For detecting intrusions, I highly recommend running a file change checker
such as the free Languard SIM from www.gfi.com [you have to really search
for it, but it's there, I swear] or Osiris on your servers. You have to run
it a few times and tell it to ignore any files that change frequently that
you are sure are supposed to be changing. Typically, these programs will
run once a day and send you an email or create a log of any changed files.
If you are hacked and a file changes, you might only be given one
notification of the file change, so checking the log for every day is
advisable. These tools do not necessarily detect root kit hidden files, but
they may detect other files that a root kit forgot to hide.

These links should give some info on looking for intrusions and on further
hardening your system. MBSA is a great tool, but it alone is not a thorough
check for server security:

http://securityadmin.info/faq.asp#ftpfolder
http://securityadmin.info/faq.asp#hacked
http://securityadmin.info/faq.asp#harden

"Michael Friedman" <MichaelFriedman@discussions.microsoft.com> wrote in
message news:87917263-A1B1-436D-AC8C-A591B925328C@microsoft.com...

> However, I noticed the "System Volume Information" was back, along with a
> new 900MB of stuff. Clearly some app is still on my system that goes
remote
> and synchronizes somewhere. Norton Antivirus Corporate 8.0 does not see
any
> viruses. Adaware eliminated only 2 spam cookies.
>
> I went to Microsoft's security site and downloaded the security analyzer
> (which is great) and it exposed risks in my SQL Home Edition, SBS,
Exchange,
> and MSXML. I patched all of these late (very late) last night.
>
> So, I believe I have a handle on the security and where the issue is
> located, but am unable to determine what is causing the addition of the
> "system volume info" folder and it's french junk. I'd like to be rid of
it.
>
> Anyone experiencing these issues or similar, advice is appreciated. Of
> course, I will continue to search through the Trojan horse & backdoor hack
> reports.

Relevant Pages

  • Re: Advice request: Backdoor hack on Windows Small Business Server
    ... Microsoft MVP (Windows Security) ... > traffic back and forth on the server stopped. ... >> probably still running hidden FTP software somewhere, ... >> notification of the file change, so checking the log for every day is ...
    (microsoft.public.windows.server.security)
  • RE: Mitigate FTP
    ... Yes, using ssh/sftp will help; ... For your customer base, I assume they are mostly Windows users; ... Security may be able to fine tune the threshold accordingly. ... Subject: Mitigate FTP ...
    (Pen-Test)
  • [NT] Windows FTP Client Allows File Transfer Location Tampering (MS05-044)
    ... Get your security news from a reliable source. ... A tampering vulnerability exists in the Windows FTP client. ... * Microsoft Windows Server 2003 for Itanium-based Systems - ...
    (Securiteam)
  • [NEWS] Symantec Enterprise Firewall FTP Bounce Vulnerability (Patch Available)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Raptor Firewall FTP Bounce Vulnerability. ... PORT command referenced a destination that doesn't ...
    (Securiteam)
  • [UNIX] SafeTP Reveals Internal Server IP Addresses
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Protocol) to connect to their accounts on UNIX or NT/2000 FTP servers. ... check out the "227 Entering Passive Mode ... Timed out waiting for connection from server. ...
    (Securiteam)