Re: Advice request: Backdoor hack on Windows Small Business Server
From: Michael Friedman (MichaelFriedman_at_discussions.microsoft.com)
Date: 06/01/05
- Next message: Roger Abell: "Re: Lot of security messages in the event viewer"
- Previous message: Michael Friedman: "Re: Advice request: Backdoor hack on Windows Small Business Server"
- Maybe in reply to: Roger Abell: "Re: Advice request: Backdoor hack on Windows Small Business Server"
- Next in thread: Steven L Umbach: "Re: Advice request: Backdoor hack on Windows Small Business Server"
- Reply: Steven L Umbach: "Re: Advice request: Backdoor hack on Windows Small Business Server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 1 Jun 2005 05:28:08 -0700
Steven,
Thanks for your comments -- I wanted to make sure I replied to you because
each person who has responded has provided very detailed valuable
information.
I have to admit when I was going through my MCSE training I was disheartened
at some of the people who were just there to get the paper and didn't really
care about what was going on or who they were going to "get as much money
from as they could" by just doing the bare minimum on purpose. You and the
other posters have restored my faith in detail, problem-solving, and
experience!
Thanks,
Michael
"Steven L Umbach" wrote:
> Roger gave you great advice to get you started. If you have not done such be
> sure to run the IISLockdown/Urlscan tool on your server to further secure
> IIS. The tools he mentioned and Process Explorer from SysInternals should
> give you a good idea what is going on. Unfortunately the damage may already
> be done and a fresh install may be your best option along with more
> preventative steps before you attach to the internet again though it never
> hurts to try and discover what is going on and how it happened as a learning
> experience. Make sure that you are using strong passwords for your
> administrator accounts and double check the membership of all the
> administrator groups on the server and avoid using admin powers for mundane
> tasks and browsing the internet/email.
>
> Firewall logs could also have alerted you to suspicious activity as could
> the security logs if you have enabled auditing of logon events and increased
> the size of the security log to at least 10MB. Trend Micro also makes a free
> tool to scan for and remove malware called Sysclean available at the links
> below. Just download it and the pattern file to the same folder, unzip the
> pattern file and then execute Sysclean. --- Steve
>
> http://www.trendmicro.com/download/dcs.asp
> http://www.trendmicro.com/download/pattern.asp
>
> "Michael Friedman" <MichaelFriedman@discussions.microsoft.com> wrote in
> message news:87917263-A1B1-436D-AC8C-A591B925328C@microsoft.com...
> >I recently experienced an invasion on my server and am having trouble
> > identifying the cause and means of removing the malicious software. I'll
> > explain my process of how I determined this to give you an idea of what's
> > going on.
> >
> > First, I noticed I was running out of hard drive space on the C: drive. I
> > have a 19GB partition available using NTFS as my system drive. I didn't
> > know
> > where the sudden jump from 15GB of free space to 500MB came from, so I
> > checked the folder properties of each root folder to get the amount of
> > data
> > stored in each folder. It added up to about 4GB.
> >
> > I deleted a bunch of temporary files and unnecessary information to get
> > 15%
> > free so I could do a degfragment. While defragmenting, I noticed in the
> > status bar a series of file names that were not located anywhere on my
> > computer-- a series of very long file names with "MovieZ" and "MP3" and so
> > on
> > in the middle. I realized someone has been using my server as a free
> > storage
> > depot.
> >
> > I have http and ftp services, but they are locked down. When I did a
> > search
> > for a file or folder containing "MovieZ" it was not found.
> >
> > Finally, I noticed a folder on my C: drive and E: drive (data drive)
> > called
> > "System Volume Information". I was denied access to it. I realized that
> > this
> > was the folder used for system restore points on Windows XP but I was
> > running
> > SBS 2003 so the folder shouldn't be there. I added the administrator
> > account
> > and found a single subfolder in this folder.
> >
> > The subfolder was a very long file name with "control panel" then a long
> > GUID. Whenever I selected it, I got the control panel and control panel
> > elements. When I did a folder properties on "c:\system volume information"
> > it
> > said I had 11GB of data in the folder, but I could not navigate to it.
> >
> > Finally, I renamed the "control panel" & GUID folder to "temp" and the
> > hack
> > was revealed: a long series of folders containing movies, mp3s, documents,
> > etc all in French. I deleted it all, including the "C:\system volume
> > information".
> >
> > The following day, I checked again and saw that I was getting pounded on
> > network traffic but no sessions were open (I have a very small network)
> > and
> > none of my remote folks were using FTP or Outlook Web Access. I used
> > network
> > monitor to capture some data and found a single site from France and
> > something.br. I use a firewall and I used it to block those IP addresses.
> > The
> > traffic stopped.
> >
> > However, I noticed the "System Volume Information" was back, along with a
> > new 900MB of stuff. Clearly some app is still on my system that goes
> > remote
> > and synchronizes somewhere. Norton Antivirus Corporate 8.0 does not see
> > any
> > viruses. Adaware eliminated only 2 spam cookies.
> >
> > I went to Microsoft's security site and downloaded the security analyzer
> > (which is great) and it exposed risks in my SQL Home Edition, SBS,
> > Exchange,
> > and MSXML. I patched all of these late (very late) last night.
> >
> > So, I believe I have a handle on the security and where the issue is
> > located, but am unable to determine what is causing the addition of the
> > "system volume info" folder and it's french junk. I'd like to be rid of
> > it.
> >
> > Anyone experiencing these issues or similar, advice is appreciated. Of
> > course, I will continue to search through the Trojan horse & backdoor hack
> > reports.
> >
> > Thanks,
> > Michael
>
>
>
- Next message: Roger Abell: "Re: Lot of security messages in the event viewer"
- Previous message: Michael Friedman: "Re: Advice request: Backdoor hack on Windows Small Business Server"
- Maybe in reply to: Roger Abell: "Re: Advice request: Backdoor hack on Windows Small Business Server"
- Next in thread: Steven L Umbach: "Re: Advice request: Backdoor hack on Windows Small Business Server"
- Reply: Steven L Umbach: "Re: Advice request: Backdoor hack on Windows Small Business Server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
