hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Compromised Windows 2003 Server
Reply

Forum Jump

Compromised Windows 2003 Server

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 03-19-2007, 03:04 PM
JustinK101 JustinK101 is offline
Web Hosting Guru
 
Join Date: Jun 2006
Posts: 304

Compromised Windows 2003 Server



Hello, so I have been trying to troubleshoot our Windows 2003 server for weeks, but have made no lead way. The following are the steps they take to breach the server.

“They” are able to create an account. Some used usernames they have created are: sysadmin, adm, mssqladm.

It is very odd, looking in the event viewer, they just appear to create accounts out of the blue, they don’t even login or attempt to login or anything, all the sudden it says, New Account Created.

“They” then change the password of the account they just created.

Then “They” assign themselves the following group permissions, ‘Users’, and ‘Administrators’. ** SHAKING MY HEAD ** How the bloody hell do they assign themselves Administrator rights?

Then the do a few different actions depending, often times they disabled the windows firewall, and change open ports, other times they simply just logoff, other times, they have placed Trojans horses and other malware in their temporary internet folder under their use folderr.

This has been a cat and mouse game for weeks, I catch the new account, and immediately delete it, and check the firewall and enable if needed, then run a full system scan with AVG and Prevx. Sometmies AVG finds Trojans and malware, other times its clears.

I have racked my brain, checked all running processes with google, and they are seem legit. I have updated everything in windows via windows update, we are running windows 2003 server SP2. I have looked at the users and groups and everything seems secure.

Do you have guys have any idea what is going on? I have feeling something is running internally, which is allowing them to create the accounts.

Is there a tool that tracks all currently running processes, and allows you to go look at the logs to see what exactly was running at a certain time?

Thanks for the assistance.



Sponsored Links
  #2  
Old 03-19-2007, 03:05 PM
boonchuan boonchuan is offline
Retired Moderator
 
Join Date: Mar 2004
Location: Singapore/Melbourne
Posts: 6,852
Are you using any controlpanel? Maybe you want to try http://www.f-secure.com/blacklight to try an online scan just to be sure?

  #3  
Old 03-19-2007, 03:12 PM
jbiel jbiel is offline
Junior Guru Wannabe
 
Join Date: Feb 2007
Posts: 61
Have you changed all your passwords on accounts that were created before this started?

Get process viewer and find anything that is not identified and stop the service / process.

Usually in these cases, a format is the best scenerio. But if you don't have a good backup before it occured, taking one now is no good.

__________________
Jason Biel



Sponsored Links
  #4  
Old 03-19-2007, 03:20 PM
dave - just199 dave - just199 is offline
Web Hosting Master
 
Join Date: Aug 2003
Location: East Coast
Posts: 2,061
I would agree that you really need to format this box, There are rootkits for windows and once a rootkit has been applied to your machine there is no telling what is sitting around in the filesystem waiting to accept commands from some devious individual.

The problem is that some of your system binaries may have been replaced with a similar looking file. It sounds like this is what has happened.

Personally I would move all my clients to a fresh (secured) box and then try to figure out what is going on with the hacked box. Remember do not push anything from this server to another machine because there may be a key logger waiting for you to type admin passwords so they can simply follow you to the new box.

good luck

__________________
Just199.com cPanel WebHosting and VPS's
Paidforumposting.com The #1 content provider for forums and blogs

  #5  
Old 03-19-2007, 04:57 PM
JustinK101 JustinK101 is offline
Web Hosting Guru
 
Join Date: Jun 2006
Posts: 304
Quote:
Originally Posted by boonchuan
Are you using any controlpanel? Maybe you want to try http://www.f-secure.com/blacklight to try an online scan just to be sure?
Yes we use Plesk, version 7.6, they are up to version 8 but I cannot upgrade as I have completely customized plesk, upgraded php, mysql, and upgrading PLESK would break much of the componets.

We already use AVG antivirus and PREVX scanner to look for virus, malware, and Trojans.

  #6  
Old 03-19-2007, 05:01 PM
JustinK101 JustinK101 is offline
Web Hosting Guru
 
Join Date: Jun 2006
Posts: 304
Quote:
Get process viewer and find anything that is not identified and stop the service / process.
I have looked at every process, I googled all of them, and they are all legit. But something could be starting itself, or in fact running behind a known process, such as a backdoor running behind scvhost.exe or a tojan behind another system process.

My main goal is to determine how they get in to begin with to plant the trojan, malware, virus, and prevent this from happening again.

Quote:
Usually in these cases, a format is the best scenerio. But if you don't have a good backup before it occured, taking one now is no good.
I have no problem formatting, but I want to determine where the security hole is before I spend all the time reconfiguring and setting anything up. After all, it doesn’t make much sense to spend a week setting everything up again, only to have it hacked again.

  #7  
Old 03-19-2007, 05:14 PM
jbiel jbiel is offline
Junior Guru Wannabe
 
Join Date: Feb 2007
Posts: 61
Well, you have two options, keep racking your brains on a production system and allow it to keep getting compromised, or restore from back and watch the sytsem like a hawk.

If you have the ability, take an image of the system and bring it up elsewhere to check it out offline, but don't continue to leave a system up that you know has security holes, you are only asking for more trouble.

__________________
Jason Biel



  #8  
Old 03-20-2007, 03:16 AM
plumsauce plumsauce is offline
******* Unleaded
 
Join Date: Feb 2004
Posts: 3,802
Furthermore, you are putting your customers at risk.

If they find out about it later, there's going to be h*** to pay.

Word to the wise is all. No offense intended.

.

__________________
edgedirector.com
managed dns global failover and load balance (gslb)
exactstate.com
uptime report for webhostingtalk.com

  #9  
Old 03-20-2007, 03:19 AM
JustinK101 JustinK101 is offline
Web Hosting Guru
 
Join Date: Jun 2006
Posts: 304
In the process of trying to clean this Trojan out, the following happened. Any ideas how I can get remote desktop back online. THis is a bloody disaster.

http://www.webhostingtalk.com/showthread.php?t=592576

  #10  
Old 03-20-2007, 04:09 AM
StevenG StevenG is offline
Web Hosting Master
 
Join Date: Apr 2002
Location: Auckland - New Zealand
Posts: 1,572
What version of mailenable is installed on this box?

Regards the terminal issue, you'll most likely have to get a local tech to look at the box for you to solve that.

__________________
Flash Arcade Games

  #11  
Old 03-20-2007, 04:09 AM
JustinK101 JustinK101 is offline
Web Hosting Guru
 
Join Date: Jun 2006
Posts: 304
1.981 I have tried to keep up with all the updates.

Reply

Related posts from TheWhir.com
Title Type Date Posted
Linux Malware Operation Windigo Infects 25,000 Web Servers Web Hosting News 2014-03-19 11:44:53
Could Website Hackers be Chasing Hosting Customers Away? Blog 2013-08-27 09:07:42
SSHD Rootkit in the Wild Blog 2013-02-22 16:44:08
Web Host OrcsWeb Offers Support for Windows Server 2012 Web Hosting News 2012-08-24 11:08:35
Microsoft Updates Licensing, Offers Four Versions of Windows Server 2012 Web Hosting News 2012-07-06 10:31:48


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?