justhink Posted April 25, 2008 Share Posted April 25, 2008 (edited) Hi All,Today 3 Proxy server in on my workplace attacked by some hacker, Server running Windows 2003 Std Edition(Service Pack 2).Attack Details,A account created with administrative privilege and while we checked, it 's logged on with that account, strange thing is, it's showing built in account, also a exe file called AutoSQL and it started scanning lot's of Public IP's, looks like it broadcasting, created account is hackp13$, and on event log, it showing following successful logon.Event Type: Success AuditEvent Source: SecurityEvent Category: Logon/Logoff Event ID: 551Date: 25/04/2008Time: 6:25:01 PMUser: AFT-PROXY\hackp13$Computer: AFT-PROXYDescription:User initiated logoff: User Name: hackp13$ Domain: AFT-PROXY Logon ID: (0x0,0x3b7fec)After initial shock, we did scan with Microsoft Baseline Security Analyzer, it's showing 3 critical update, and 2 important update reqd. and most interesting part is when I was installing update via Windows update, suddenly hacker take my full desktop control, accessing my mouse, keyboard, and cancel update, then open Internet Explorer, open a site, Service Window.AutoSqlIP ScanNetstat 1Microsoft Windows 2000 [Version 5.00.2195](C) Copyright 1985-2000 Microsoft Corp.C:\Documents and Settings\hackp13$>netstatActive Connections Proto Local Address Foreign Address State TCP asdf:1047 asdf:ms-sql-s ESTABLISHED TCP asdf:1048 asdf:ms-sql-s ESTABLISHED TCP asdf:1050 asdf:ms-sql-s ESTABLISHED TCP asdf:1051 asdf:ms-sql-s ESTABLISHED TCP asdf:1052 asdf:ms-sql-s ESTABLISHED TCP asdf:1053 asdf:ms-sql-s ESTABLISHED TCP asdf:1054 asdf:ms-sql-s ESTABLISHED TCP asdf:ms-sql-s asdf:1047 ESTABLISHED TCP asdf:ms-sql-s asdf:1048 ESTABLISHED TCP asdf:ms-sql-s asdf:1050 ESTABLISHED TCP asdf:ms-sql-s asdf:1051 ESTABLISHED TCP asdf:ms-sql-s asdf:1052 ESTABLISHED TCP asdf:ms-sql-s asdf:1053 ESTABLISHED TCP asdf:ms-sql-s asdf:1054 ESTABLISHED TCP asdf:2602 asdf:7000 ESTABLISHED TCP asdf:3103 asdf:7000 CLOSE_WAIT TCP asdf:5001 asdf:1088 CLOSE_WAIT TCP asdf:7000 asdf:2602 ESTABLISHED TCP asdf:7000 asdf:3103 FIN_WAIT_2 TCP asdf:1637 222.76.64.57:8000 ESTABLISHED TCP asdf:2603 207.46.110.40:http ESTABLISHED TCP asdf:8080 192.168.16.29:1529 ESTABLISHED TCP asdf:8080 192.168.33.75:4849 TIME_WAIT TCP asdf:8080 192.168.33.75:4854 TIME_WAIT^CC:\Documents and Settings\hackp13$>netstat -nActive Connections Proto Local Address Foreign Address State TCP 127.0.0.1:1047 127.0.0.1:1433 ESTABLISHED TCP 127.0.0.1:1048 127.0.0.1:1433 ESTABLISHED TCP 127.0.0.1:1050 127.0.0.1:1433 ESTABLISHED TCP 127.0.0.1:1051 127.0.0.1:1433 ESTABLISHED TCP 127.0.0.1:1052 127.0.0.1:1433 ESTABLISHED TCP 127.0.0.1:1053 127.0.0.1:1433 ESTABLISHED TCP 127.0.0.1:1054 127.0.0.1:1433 ESTABLISHED TCP 127.0.0.1:1433 127.0.0.1:1047 ESTABLISHED TCP 127.0.0.1:1433 127.0.0.1:1048 ESTABLISHED TCP 127.0.0.1:1433 127.0.0.1:1050 ESTABLISHED TCP 127.0.0.1:1433 127.0.0.1:1051 ESTABLISHED TCP 127.0.0.1:1433 127.0.0.1:1052 ESTABLISHED TCP 127.0.0.1:1433 127.0.0.1:1053 ESTABLISHED TCP 127.0.0.1:1433 127.0.0.1:1054 ESTABLISHED TCP 127.0.0.1:2602 127.0.0.1:7000 ESTABLISHED TCP 127.0.0.1:3175 127.0.0.1:7000 ESTABLISHED TCP 127.0.0.1:5001 127.0.0.1:1088 CLOSE_WAIT TCP 127.0.0.1:7000 127.0.0.1:2602 ESTABLISHED TCP 127.0.0.1:7000 127.0.0.1:3103 TIME_WAIT TCP 127.0.0.1:7000 127.0.0.1:3175 ESTABLISHED TCP 192.168.33.3:1637 222.76.64.57:8000 ESTABLISHED TCP 192.168.33.3:2603 207.46.110.40:80 ESTABLISHED TCP 192.168.33.3:3176 74.54.68.215:80 ESTABLISHED TCP 192.168.33.3:8080 192.168.16.29:1529 ESTABLISHED TCP 192.168.33.3:8080 192.168.33.75:4849 TIME_WAIT TCP 192.168.33.3:8080 192.168.33.75:4854 TIME_WAIT TCP 192.168.33.3:8080 192.168.44.22:2778 TIME_WAIT TCP 192.168.33.3:8080 192.168.44.22:2779 TIME_WAIT TCP 192.168.33.3:8080 192.168.44.22:2780 TIME_WAIT TCP 192.168.33.3:8080 192.168.44.22:2782 ESTABLISHED TCP 192.168.33.3:8080 192.168.44.22:2783 TIME_WAIT TCP 192.168.33.3:8080 192.168.44.22:2784 TIME_WAIT TCP 192.168.33.3:8080 192.168.90.60:1746 FIN_WAIT_2 TCP 192.168.33.3:8080 192.168.90.60:1747 FIN_WAIT_2C:\Documents and Settings\hackp13$>Netstat 2Microsoft Windows 2000 [Version 5.00.2195](C) Copyright 1985-2000 Microsoft Corp.C:\Documents and Settings\hackp13$>netstat -nrRoute Table===========================================================================Interface List0x1 ........................... MS TCP Loopback interface0x1000003 ...00 11 11 5f 28 60 ...... Intel(R) PRO/1000 CT Network Connection0x1000004 ...00 11 11 5f 28 62 ...... Intel(R) PRO/100 VE Network Connection======================================================================================================================================================Active Routes:Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.33.154 192.168.33.3 1 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 172.0.0.0 255.0.0.0 192.168.33.154 192.168.33.3 1 192.168.10.0 255.255.255.0 192.168.33.154 192.168.33.3 1 192.168.11.0 255.255.255.0 192.168.33.154 192.168.33.3 1 192.168.12.0 255.255.255.0 192.168.33.154 192.168.33.3 1 192.168.14.0 255.255.255.0 192.168.33.154 192.168.33.3 1 192.168.16.0 255.255.255.0 192.168.33.154 192.168.33.3 1 192.168.18.0 255.255.255.0 192.168.33.154 192.168.33.3 1 192.168.20.0 255.255.255.0 192.168.33.154 192.168.33.3 1 192.168.22.0 255.255.255.0 192.168.33.154 192.168.33.3 1 192.168.23.0 255.255.255.0 192.168.33.154 192.168.33.3 1 192.168.24.0 255.255.255.0 192.168.33.154 192.168.33.3 1 192.168.25.0 255.255.255.0 192.168.33.154 192.168.33.3 1 192.168.31.0 255.255.255.0 192.168.33.154 192.168.33.3 1 192.168.33.0 255.255.255.0 192.168.33.3 192.168.33.3 1 192.168.33.3 255.255.255.255 127.0.0.1 127.0.0.1 1 192.168.33.255 255.255.255.255 192.168.33.3 192.168.33.3 1 192.168.36.0 255.255.255.0 192.168.33.154 192.168.33.3 1 192.168.37.0 255.255.255.0 192.168.33.154 192.168.33.3 1 192.168.38.0 255.255.255.0 192.168.33.154 192.168.33.3 1 192.168.39.0 255.255.255.0 192.168.33.154 192.168.33.3 1 192.168.44.0 255.255.255.0 192.168.33.154 192.168.33.3 1 192.168.45.0 255.255.255.0 192.168.33.154 192.168.33.3 1 192.168.60.0 255.255.255.0 192.168.33.154 192.168.33.3 1 192.168.61.0 255.255.255.0 192.168.33.154 192.168.33.3 1 192.168.64.0 255.255.255.0 192.168.33.154 192.168.33.3 1 192.168.65.0 255.255.255.0 192.168.33.154 192.168.33.3 1 192.168.66.0 255.255.255.0 192.168.33.154 192.168.33.3 1 192.168.67.0 255.255.255.0 192.168.33.154 192.168.33.3 1 192.168.68.0 255.255.255.0 192.168.33.154 192.168.33.3 1 192.168.70.0 255.255.255.0 192.168.33.154 192.168.33.3 1 192.168.80.0 255.255.255.0 192.168.33.154 192.168.33.3 1 192.168.88.0 255.255.255.0 192.168.33.154 192.168.33.3 1 192.168.90.0 255.255.255.0 192.168.33.154 192.168.33.3 1 192.168.100.0 255.255.255.0 192.168.33.154 192.168.33.3 1 192.168.140.0 255.255.255.0 192.168.33.154 192.168.33.3 1 192.168.171.0 255.255.255.0 192.168.33.154 192.168.33.3 1 224.0.0.0 224.0.0.0 192.168.33.3 192.168.33.3 1 255.255.255.255 255.255.255.255 192.168.33.3 192.168.33.3 1Default Gateway: 192.168.33.154===========================================================================Persistent Routes: Network Address Netmask Gateway Address Metric 192.168.22.0 255.255.255.0 192.168.33.154 1 192.168.23.0 255.255.255.0 192.168.33.154 1 192.168.11.0 255.255.255.0 192.168.33.154 1 192.168.14.0 255.255.255.0 192.168.33.154 1 192.168.24.0 255.255.255.0 192.168.33.154 1 192.168.16.0 255.255.255.0 192.168.33.154 1 192.168.12.0 255.255.255.0 192.168.33.154 1 192.168.44.0 255.255.255.0 192.168.33.154 1 192.168.45.0 255.255.255.0 192.168.33.154 1 192.168.88.0 255.255.255.0 192.168.33.154 1 192.168.38.0 255.255.255.0 192.168.33.154 1 192.168.31.0 255.255.255.0 192.168.33.154 1 192.168.37.0 255.255.255.0 192.168.33.154 1 192.168.39.0 255.255.255.0 192.168.33.154 1 192.168.36.0 255.255.255.0 192.168.33.154 1 192.168.100.0 255.255.255.0 192.168.33.154 1 192.168.20.0 255.255.255.0 192.168.33.154 1 192.168.80.0 255.255.255.0 192.168.33.154 1 192.168.10.0 255.255.255.0 192.168.33.154 1 192.168.140.0 255.255.255.0 192.168.33.154 1 172.0.0.0 255.0.0.0 192.168.33.154 1 192.168.25.0 255.255.255.0 192.168.33.154 1 192.168.90.0 255.255.255.0 192.168.33.154 1 192.168.60.0 255.255.255.0 192.168.33.154 1 192.168.61.0 255.255.255.0 192.168.33.154 1 192.168.66.0 255.255.255.0 192.168.33.154 1 192.168.67.0 255.255.255.0 192.168.33.154 1 192.168.64.0 255.255.255.0 192.168.33.154 1 192.168.65.0 255.255.255.0 192.168.33.154 1 192.168.68.0 255.255.255.0 192.168.33.154 1 192.168.70.0 255.255.255.0 192.168.33.154 1 192.168.18.0 255.255.255.0 192.168.33.154 1 192.168.171.0 255.255.255.0 192.168.33.154 1C:\Documents and Settings\hackp13$>We hav PIX in our workplace..We hav Trend Micro office scan..Using Trend Micro Proxy Server..Is there any new vulnerability on 2003 server??Please help.... Edited April 26, 2008 by justhink Link to comment Share on other sites More sharing options...
cluberti Posted April 25, 2008 Share Posted April 25, 2008 Note that you can create a free security case with Microsoft support on this - if you're in the US or Canada, call (866) 727-2338. If you're elsewhere, try http://support.microsoft.com/common/international.aspx.As to the hotfixes, the first thing I would do is download them on another machine, put them on something like a USB key, and then remove the infected server(s) from the network COMPLETELY and install any missing hotfixes. Next, do a FULL scan of the machine with a virus scanner. If it doesn't find anything, then consider those machines compromised (I'd do this first, but some people like to save servers for some reason) and rebuild offline.Next thing to do is start actively monitoring any ingress and egress points from your network for suspicious activity (and make sure that your servers are fully patched, and enable the windows firewall and only open necessary ports if possible). Link to comment Share on other sites More sharing options...
justhink Posted April 26, 2008 Author Share Posted April 26, 2008 thanks,Added Scren shoot and netstat Link to comment Share on other sites More sharing options...
cluberti Posted April 27, 2008 Share Posted April 27, 2008 I've not seen that particular one before - looks like some sort of remote hack though. Again, I'd rebuild those boxes, but cleaning them offline might be sufficient if you can't afford the downtime associated with a rebuild (although, you'll never be sure they're completely clean without rebuilding...). Link to comment Share on other sites More sharing options...
justhink Posted April 28, 2008 Author Share Posted April 28, 2008 I've not seen that particular one before - looks like some sort of remote hack though. Again, I'd rebuild those boxes, but cleaning them offline might be sufficient if you can't afford the downtime associated with a rebuild (although, you'll never be sure they're completely clean without rebuilding...).System Rebuild complete, rebuild in offiline, then fully patched, also blocked all direct internet access... Till now no more hack, If there is any new vulnerability on 2003 server, then i am sure they will hack again, coz our external ip are same..Now we just ahv to wait untill next attack..Thanks for your kind help..JusThinK Link to comment Share on other sites More sharing options...
cluberti Posted April 28, 2008 Share Posted April 28, 2008 I've not seen that particular one before - looks like some sort of remote hack though. Again, I'd rebuild those boxes, but cleaning them offline might be sufficient if you can't afford the downtime associated with a rebuild (although, you'll never be sure they're completely clean without rebuilding...).System Rebuild complete, rebuild in offiline, then fully patched, also blocked all direct internet access... Till now no more hack, If there is any new vulnerability on 2003 server, then i am sure they will hack again, coz our external ip are same..Now we just ahv to wait untill next attack..Thanks for your kind help..JusThinKAre these proxy servers behind a firewall at all? Link to comment Share on other sites More sharing options...
justhink Posted April 28, 2008 Author Share Posted April 28, 2008 I've not seen that particular one before - looks like some sort of remote hack though. Again, I'd rebuild those boxes, but cleaning them offline might be sufficient if you can't afford the downtime associated with a rebuild (although, you'll never be sure they're completely clean without rebuilding...).System Rebuild complete, rebuild in offiline, then fully patched, also blocked all direct internet access... Till now no more hack, If there is any new vulnerability on 2003 server, then i am sure they will hack again, coz our external ip are same..Now we just ahv to wait untill next attack..Thanks for your kind help..JusThinKAre these proxy servers behind a firewall at all?Yea, all are behind PIX Firewall, but allowed to access direct internet using DNS ip of ISP. Link to comment Share on other sites More sharing options...
cluberti Posted April 28, 2008 Share Posted April 28, 2008 Yea, all are behind PIX Firewall, but allowed to access direct internet using DNS ip of ISP.At this point, I'd make certain that NO ports are open to these INBOUND FROM the PIX firewall, and that only necessary ports for internet access are open OUTBOUND TO the PIX firewall as well. This should limit your exposure, although having a box fully patched (and potentially running antivirus software at the current moment) is a good thing too.Good luck. Link to comment Share on other sites More sharing options...
Redhatcc Posted April 29, 2008 Share Posted April 29, 2008 (edited) just my 2cents, looks like internal attack (port scanned) lol. but... that is just memight want to probe the employee's Edited April 29, 2008 by Redhatcc Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now