Hello, so I have been trying to troubleshoot our Windows 2003 server for weeks, but have made no lead way. The following are the steps they take to breach the server.
“They” are able to create an account. Some used usernames they have created are: sysadmin, adm, mssqladm.
It is very odd, looking in the event viewer, they just appear to create accounts out of the blue, they don’t even login or attempt to login or anything, all the sudden it says, New Account Created.
“They” then change the password of the account they just created.
Then “They” assign themselves the following group permissions, ‘Users’, and ‘Administrators’. ** SHAKING MY HEAD ** How the bloody hell do they assign themselves Administrator rights?
Then the do a few different actions depending, often times they disabled the windows firewall, and change open ports, other times they simply just logoff, other times, they have placed Trojans horses and other malware in their temporary internet folder under their use folderr.
This has been a cat and mouse game for weeks, I catch the new account, and immediately delete it, and check the firewall and enable if needed, then run a full system scan with AVG and Prevx. Sometmies AVG finds Trojans and malware, other times its clears.
I have racked my brain, checked all running processes with google, and they are seem legit. I have updated everything in windows via windows update, we are running windows 2003 server SP2. I have looked at the users and groups and everything seems secure.
Do you have guys have any idea what is going on? I have feeling something is running internally, which is allowing them to create the accounts.
Is there a tool that tracks all currently running processes, and allows you to go look at the logs to see what exactly was running at a certain time?
I would agree that you really need to format this box, There are rootkits for windows and once a rootkit has been applied to your machine there is no telling what is sitting around in the filesystem waiting to accept commands from some devious individual.
The problem is that some of your system binaries may have been replaced with a similar looking file. It sounds like this is what has happened.
Personally I would move all my clients to a fresh (secured) box and then try to figure out what is going on with the hacked box. Remember do not push anything from this server to another machine because there may be a key logger waiting for you to type admin passwords so they can simply follow you to the new box.
Get process viewer and find anything that is not identified and stop the service / process.
I have looked at every process, I googled all of them, and they are all legit. But something could be starting itself, or in fact running behind a known process, such as a backdoor running behind scvhost.exe or a tojan behind another system process.
My main goal is to determine how they get in to begin with to plant the trojan, malware, virus, and prevent this from happening again.
Usually in these cases, a format is the best scenerio. But if you don't have a good backup before it occured, taking one now is no good.
I have no problem formatting, but I want to determine where the security hole is before I spend all the time reconfiguring and setting anything up. After all, it doesn’t make much sense to spend a week setting everything up again, only to have it hacked again.
Well, you have two options, keep racking your brains on a production system and allow it to keep getting compromised, or restore from back and watch the sytsem like a hawk.
If you have the ability, take an image of the system and bring it up elsewhere to check it out offline, but don't continue to leave a system up that you know has security holes, you are only asking for more trouble.