Re: Advice request: Backdoor hack on Windows Small Business Server

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 06/01/05 

Date: Tue, 31 May 2005 22:03:14 -0700

I do hope that all empowered account (in your infrastructure, not just the
accounts on that one machine) that might have been used from or that might
be similar to accounts used upon that machine have had password changes
after the time when the machine was last able to pass packets out. 

-- 
Roger Abell
Microsoft MVP (Windows  Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Michael Friedman" <MichaelFriedman@discussions.microsoft.com> wrote in
message news:717E6865-18F7-4348-8419-D9A47D0DEB6D@microsoft.com...
> Karl,
>
> Wow, thanks for the great information! I appreciate your detail and
> suggestions.
>
> To follow up, I was able to determine the program binding: NeDDS.exe. This
> was listed in the services as a legacy Network service. Once disabled, all
> traffic back and forth on the server stopped. I believe there is still a
> vulnerability on the server that was activating the executable but since
it's
> not there, it can't. I am still on the lookout (I was away most of the
> weekend). Fortunately, this server is not one of high risk and is more of
a
> test server so, while very interested, I am not fretting too much. This
has
> been a great exercise.
>
> Thank you all for responding so well. I hope I can return the favor
sometime.
>
> Michael
>
> "Karl Levinson, mvp" wrote:
>
> > There is a lot of information on these sorts of very common hacks, if
you
> > search for "ftp tagging" or "pubstro."
> >
> > Although your firewall seems to be blocking people from downloading
files,
> > it sounds like 1) your server could still be vulnerable with an open
hole,
> > 2) attackers may still be remotely managing your server and 3) it is
> > probably still running hidden FTP software somewhere, perhaps hidden by
a
> > root kit or perhaps that you just haven't found yet.  [The fact that the
FTP
> > data files were visible to you makes me think that perhaps no root kit
is in
> > use.]
> >
> > The vulnerabilities you fixed are not the ones I would think let this to
> > occur, although hopefully MBSA has made sure you now have all the
Microsoft
> > security patches installed.  If an easily guessable password, insecure
> > configuration setting or an unpatched program that MBSA does not check
for
> > was used, then there could still be a problem.  If there were other
missing
> > patches that you installed and didn't list here, then it could be that
you
> > did find and fix the problem.
> >
> > You say that your FTP service is locked down, but do be sure that the
> > anonymous user [such as IUSR] cannot both write and read to any one FTP
> > folder.  There should be a read-only download folder and/or a write-only
> > upload folder.
> >
> > If you still haven't found the hidden FTP service [if there is one],
> > downloading Hijack This and posting the logs to the Hijack This web
forum
> > may be helpful.  Filemon from www.sysinternals.com may be helpful as
well.
> >
> > For detecting intrusions, I highly recommend running a file change
checker
> > such as the free Languard SIM from www.gfi.com [you have to really
search
> > for it, but it's there, I swear] or Osiris on your servers.  You have to
run
> > it a few times and tell it to ignore any files that change frequently
that
> > you are sure are supposed to be changing.  Typically, these programs
will
> > run once a day and send you an email or create a log of any changed
files.
> > If you are hacked and a file changes, you might only be given one
> > notification of the file change, so checking the log for every day is
> > advisable.  These tools do not necessarily detect root kit hidden files,
but
> > they may detect other files that a root kit forgot to hide.
> >
> > These links should give some info on looking for intrusions and on
further
> > hardening your system.  MBSA is a great tool, but it alone is not a
thorough
> > check for server security:
> >
> > http://securityadmin.info/faq.asp#ftpfolder
> > http://securityadmin.info/faq.asp#hacked
> > http://securityadmin.info/faq.asp#harden
> >
> >
> > "Michael Friedman" <MichaelFriedman@discussions.microsoft.com> wrote in
> > message news:87917263-A1B1-436D-AC8C-A591B925328C@microsoft.com...
> >
> > > However, I noticed the "System Volume Information" was back, along
with a
> > > new 900MB of stuff. Clearly some app is still on my system that goes
> > remote
> > > and synchronizes somewhere. Norton Antivirus Corporate 8.0 does not
see
> > any
> > > viruses. Adaware eliminated only 2 spam cookies.
> > >
> > > I went to Microsoft's security site and downloaded the security
analyzer
> > > (which is great) and it exposed risks in my SQL Home Edition, SBS,
> > Exchange,
> > > and MSXML. I patched all of these late (very late) last night.
> > >
> > > So, I believe I have a handle on the security and where the issue is
> > > located, but am unable to determine what is causing the addition of
the
> > > "system volume info" folder and it's french junk. I'd like to be rid
of
> > it.
> > >
> > > Anyone experiencing these issues or similar, advice is appreciated. Of
> > > course, I will continue to search through the Trojan horse & backdoor
hack
> > > reports.
> >
> >
> >

Relevant Pages