Results 1 to 11 of 11
  1. #1
    Join Date
    Jun 2006
    Posts
    304

    Compromised Windows 2003 Server


    Hello, so I have been trying to troubleshoot our Windows 2003 server for weeks, but have made no lead way. The following are the steps they take to breach the server.

    “They” are able to create an account. Some used usernames they have created are: sysadmin, adm, mssqladm.

    It is very odd, looking in the event viewer, they just appear to create accounts out of the blue, they don’t even login or attempt to login or anything, all the sudden it says, New Account Created.

    “They” then change the password of the account they just created.

    Then “They” assign themselves the following group permissions, ‘Users’, and ‘Administrators’. ** SHAKING MY HEAD ** How the bloody hell do they assign themselves Administrator rights?

    Then the do a few different actions depending, often times they disabled the windows firewall, and change open ports, other times they simply just logoff, other times, they have placed Trojans horses and other malware in their temporary internet folder under their use folderr.

    This has been a cat and mouse game for weeks, I catch the new account, and immediately delete it, and check the firewall and enable if needed, then run a full system scan with AVG and Prevx. Sometmies AVG finds Trojans and malware, other times its clears.

    I have racked my brain, checked all running processes with google, and they are seem legit. I have updated everything in windows via windows update, we are running windows 2003 server SP2. I have looked at the users and groups and everything seems secure.

    Do you have guys have any idea what is going on? I have feeling something is running internally, which is allowing them to create the accounts.

    Is there a tool that tracks all currently running processes, and allows you to go look at the logs to see what exactly was running at a certain time?

    Thanks for the assistance.

  2. #2
    Join Date
    Mar 2004
    Location
    Singapore/Melbourne
    Posts
    6,890
    Are you using any controlpanel? Maybe you want to try http://www.f-secure.com/blacklight to try an online scan just to be sure?

  3. #3
    Join Date
    Feb 2007
    Posts
    61
    Have you changed all your passwords on accounts that were created before this started?

    Get process viewer and find anything that is not identified and stop the service / process.

    Usually in these cases, a format is the best scenerio. But if you don't have a good backup before it occured, taking one now is no good.
    Jason Biel


  4. #4
    Join Date
    Aug 2003
    Location
    East Coast
    Posts
    2,062
    I would agree that you really need to format this box, There are rootkits for windows and once a rootkit has been applied to your machine there is no telling what is sitting around in the filesystem waiting to accept commands from some devious individual.

    The problem is that some of your system binaries may have been replaced with a similar looking file. It sounds like this is what has happened.

    Personally I would move all my clients to a fresh (secured) box and then try to figure out what is going on with the hacked box. Remember do not push anything from this server to another machine because there may be a key logger waiting for you to type admin passwords so they can simply follow you to the new box.

    good luck
    Just199.com cPanel WebHosting and VPS's
    Paidforumposting.com The #1 content provider for forums and blogs

  5. #5
    Join Date
    Jun 2006
    Posts
    304
    Quote Originally Posted by boonchuan
    Are you using any controlpanel? Maybe you want to try http://www.f-secure.com/blacklight to try an online scan just to be sure?
    Yes we use Plesk, version 7.6, they are up to version 8 but I cannot upgrade as I have completely customized plesk, upgraded php, mysql, and upgrading PLESK would break much of the componets.

    We already use AVG antivirus and PREVX scanner to look for virus, malware, and Trojans.

  6. #6
    Join Date
    Jun 2006
    Posts
    304
    Get process viewer and find anything that is not identified and stop the service / process.
    I have looked at every process, I googled all of them, and they are all legit. But something could be starting itself, or in fact running behind a known process, such as a backdoor running behind scvhost.exe or a tojan behind another system process.

    My main goal is to determine how they get in to begin with to plant the trojan, malware, virus, and prevent this from happening again.

    Usually in these cases, a format is the best scenerio. But if you don't have a good backup before it occured, taking one now is no good.
    I have no problem formatting, but I want to determine where the security hole is before I spend all the time reconfiguring and setting anything up. After all, it doesn’t make much sense to spend a week setting everything up again, only to have it hacked again.

  7. #7
    Join Date
    Feb 2007
    Posts
    61
    Well, you have two options, keep racking your brains on a production system and allow it to keep getting compromised, or restore from back and watch the sytsem like a hawk.

    If you have the ability, take an image of the system and bring it up elsewhere to check it out offline, but don't continue to leave a system up that you know has security holes, you are only asking for more trouble.
    Jason Biel


  8. #8
    Furthermore, you are putting your customers at risk.

    If they find out about it later, there's going to be h*** to pay.

    Word to the wise is all. No offense intended.

    .
    edgedirector.com
    managed dns global failover and load balance (gslb)
    exactstate.com
    uptime report for webhostingtalk.com

  9. #9
    Join Date
    Jun 2006
    Posts
    304
    In the process of trying to clean this Trojan out, the following happened. Any ideas how I can get remote desktop back online. THis is a bloody disaster.

    http://www.webhostingtalk.com/showthread.php?t=592576

  10. #10
    Join Date
    Apr 2002
    Location
    Auckland - New Zealand
    Posts
    1,572
    What version of mailenable is installed on this box?

    Regards the terminal issue, you'll most likely have to get a local tech to look at the box for you to solve that.

  11. #11
    Join Date
    Jun 2006
    Posts
    304
    1.981 I have tried to keep up with all the updates.

Related Posts from theWHIR.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •