Results 1 to 11 of 11
Thread: Compromised Windows 2003 Server
-
03-19-2007, 03:04 PM #1Web Hosting Guru
- Join Date
- Jun 2006
- Posts
- 304
Compromised Windows 2003 Server
Hello, so I have been trying to troubleshoot our Windows 2003 server for weeks, but have made no lead way. The following are the steps they take to breach the server.
“They” are able to create an account. Some used usernames they have created are: sysadmin, adm, mssqladm.
It is very odd, looking in the event viewer, they just appear to create accounts out of the blue, they don’t even login or attempt to login or anything, all the sudden it says, New Account Created.
“They” then change the password of the account they just created.
Then “They” assign themselves the following group permissions, ‘Users’, and ‘Administrators’. ** SHAKING MY HEAD ** How the bloody hell do they assign themselves Administrator rights?
Then the do a few different actions depending, often times they disabled the windows firewall, and change open ports, other times they simply just logoff, other times, they have placed Trojans horses and other malware in their temporary internet folder under their use folderr.
This has been a cat and mouse game for weeks, I catch the new account, and immediately delete it, and check the firewall and enable if needed, then run a full system scan with AVG and Prevx. Sometmies AVG finds Trojans and malware, other times its clears.
I have racked my brain, checked all running processes with google, and they are seem legit. I have updated everything in windows via windows update, we are running windows 2003 server SP2. I have looked at the users and groups and everything seems secure.
Do you have guys have any idea what is going on? I have feeling something is running internally, which is allowing them to create the accounts.
Is there a tool that tracks all currently running processes, and allows you to go look at the logs to see what exactly was running at a certain time?
Thanks for the assistance.
-
03-19-2007, 03:05 PM #2Retired Moderator
- Join Date
- Mar 2004
- Location
- Singapore
- Posts
- 6,990
Are you using any controlpanel? Maybe you want to try http://www.f-secure.com/blacklight to try an online scan just to be sure?
-
03-19-2007, 03:12 PM #3Junior Guru Wannabe
- Join Date
- Feb 2007
- Posts
- 62
Have you changed all your passwords on accounts that were created before this started?
Get process viewer and find anything that is not identified and stop the service / process.
Usually in these cases, a format is the best scenerio. But if you don't have a good backup before it occured, taking one now is no good.Jason Biel
-
03-19-2007, 03:20 PM #4Web Hosting Master
- Join Date
- Aug 2003
- Location
- East Coast
- Posts
- 2,082
I would agree that you really need to format this box, There are rootkits for windows and once a rootkit has been applied to your machine there is no telling what is sitting around in the filesystem waiting to accept commands from some devious individual.
The problem is that some of your system binaries may have been replaced with a similar looking file. It sounds like this is what has happened.
Personally I would move all my clients to a fresh (secured) box and then try to figure out what is going on with the hacked box. Remember do not push anything from this server to another machine because there may be a key logger waiting for you to type admin passwords so they can simply follow you to the new box.
good luck
-
03-19-2007, 04:57 PM #5Web Hosting Guru
- Join Date
- Jun 2006
- Posts
- 304
Originally Posted by boonchuan
We already use AVG antivirus and PREVX scanner to look for virus, malware, and Trojans.
-
03-19-2007, 05:01 PM #6Web Hosting Guru
- Join Date
- Jun 2006
- Posts
- 304
Get process viewer and find anything that is not identified and stop the service / process.
My main goal is to determine how they get in to begin with to plant the trojan, malware, virus, and prevent this from happening again.
Usually in these cases, a format is the best scenerio. But if you don't have a good backup before it occured, taking one now is no good.
-
03-19-2007, 05:14 PM #7Junior Guru Wannabe
- Join Date
- Feb 2007
- Posts
- 62
Well, you have two options, keep racking your brains on a production system and allow it to keep getting compromised, or restore from back and watch the sytsem like a hawk.
If you have the ability, take an image of the system and bring it up elsewhere to check it out offline, but don't continue to leave a system up that you know has security holes, you are only asking for more trouble.Jason Biel
-
03-20-2007, 03:16 AM #8******* Unleaded
- Join Date
- Feb 2004
- Posts
- 3,849
Furthermore, you are putting your customers at risk.
If they find out about it later, there's going to be h*** to pay.
Word to the wise is all. No offense intended.
.edgedirector.com
managed dns global failover and load balance (gslb)
exactstate.com
uptime report for webhostingtalk.com
-
03-20-2007, 03:19 AM #9Web Hosting Guru
- Join Date
- Jun 2006
- Posts
- 304
In the process of trying to clean this Trojan out, the following happened. Any ideas how I can get remote desktop back online. THis is a bloody disaster.
http://www.webhostingtalk.com/showthread.php?t=592576
-
03-20-2007, 04:09 AM #10Web Hosting Master
- Join Date
- Apr 2002
- Location
- Auckland - New Zealand
- Posts
- 1,575
What version of mailenable is installed on this box?
Regards the terminal issue, you'll most likely have to get a local tech to look at the box for you to solve that.
-
03-20-2007, 04:09 AM #11Web Hosting Guru
- Join Date
- Jun 2006
- Posts
- 304
1.981 I have tried to keep up with all the updates.