Re: Advice request: Backdoor hack on Windows Small Business Server
From: Michael Friedman (MichaelFriedman_at_discussions.microsoft.com)
Date: 05/31/05
- Next message: Torgeir Bakken \(MVP\): "Re: copy a large number of files / preserve the permissions"
- Previous message: Rob McShinsky: "Re: copy a large number of files / preserve the permissions"
- In reply to: Karl Levinson, mvp: "Re: Advice request: Backdoor hack on Windows Small Business Server 200"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 31 May 2005 07:30:01 -0700
Karl,
Wow, thanks for the great information! I appreciate your detail and
suggestions.
To follow up, I was able to determine the program binding: NeDDS.exe. This
was listed in the services as a legacy Network service. Once disabled, all
traffic back and forth on the server stopped. I believe there is still a
vulnerability on the server that was activating the executable but since it's
not there, it can't. I am still on the lookout (I was away most of the
weekend). Fortunately, this server is not one of high risk and is more of a
test server so, while very interested, I am not fretting too much. This has
been a great exercise.
Thank you all for responding so well. I hope I can return the favor sometime.
Michael
"Karl Levinson, mvp" wrote:
> There is a lot of information on these sorts of very common hacks, if you
> search for "ftp tagging" or "pubstro."
>
> Although your firewall seems to be blocking people from downloading files,
> it sounds like 1) your server could still be vulnerable with an open hole,
> 2) attackers may still be remotely managing your server and 3) it is
> probably still running hidden FTP software somewhere, perhaps hidden by a
> root kit or perhaps that you just haven't found yet. [The fact that the FTP
> data files were visible to you makes me think that perhaps no root kit is in
> use.]
>
> The vulnerabilities you fixed are not the ones I would think let this to
> occur, although hopefully MBSA has made sure you now have all the Microsoft
> security patches installed. If an easily guessable password, insecure
> configuration setting or an unpatched program that MBSA does not check for
> was used, then there could still be a problem. If there were other missing
> patches that you installed and didn't list here, then it could be that you
> did find and fix the problem.
>
> You say that your FTP service is locked down, but do be sure that the
> anonymous user [such as IUSR] cannot both write and read to any one FTP
> folder. There should be a read-only download folder and/or a write-only
> upload folder.
>
> If you still haven't found the hidden FTP service [if there is one],
> downloading Hijack This and posting the logs to the Hijack This web forum
> may be helpful. Filemon from www.sysinternals.com may be helpful as well.
>
> For detecting intrusions, I highly recommend running a file change checker
> such as the free Languard SIM from www.gfi.com [you have to really search
> for it, but it's there, I swear] or Osiris on your servers. You have to run
> it a few times and tell it to ignore any files that change frequently that
> you are sure are supposed to be changing. Typically, these programs will
> run once a day and send you an email or create a log of any changed files.
> If you are hacked and a file changes, you might only be given one
> notification of the file change, so checking the log for every day is
> advisable. These tools do not necessarily detect root kit hidden files, but
> they may detect other files that a root kit forgot to hide.
>
> These links should give some info on looking for intrusions and on further
> hardening your system. MBSA is a great tool, but it alone is not a thorough
> check for server security:
>
> http://securityadmin.info/faq.asp#ftpfolder
> http://securityadmin.info/faq.asp#hacked
> http://securityadmin.info/faq.asp#harden
>
>
> "Michael Friedman" <MichaelFriedman@discussions.microsoft.com> wrote in
> message news:87917263-A1B1-436D-AC8C-A591B925328C@microsoft.com...
>
> > However, I noticed the "System Volume Information" was back, along with a
> > new 900MB of stuff. Clearly some app is still on my system that goes
> remote
> > and synchronizes somewhere. Norton Antivirus Corporate 8.0 does not see
> any
> > viruses. Adaware eliminated only 2 spam cookies.
> >
> > I went to Microsoft's security site and downloaded the security analyzer
> > (which is great) and it exposed risks in my SQL Home Edition, SBS,
> Exchange,
> > and MSXML. I patched all of these late (very late) last night.
> >
> > So, I believe I have a handle on the security and where the issue is
> > located, but am unable to determine what is causing the addition of the
> > "system volume info" folder and it's french junk. I'd like to be rid of
> it.
> >
> > Anyone experiencing these issues or similar, advice is appreciated. Of
> > course, I will continue to search through the Trojan horse & backdoor hack
> > reports.
>
>
>
- Next message: Torgeir Bakken \(MVP\): "Re: copy a large number of files / preserve the permissions"
- Previous message: Rob McShinsky: "Re: copy a large number of files / preserve the permissions"
- In reply to: Karl Levinson, mvp: "Re: Advice request: Backdoor hack on Windows Small Business Server 200"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
