Jump to content

2003 Server Attack by Unknown Hacker, need help


Recommended Posts

Hi All,

Today 3 Proxy server in on my workplace attacked by some hacker, Server running Windows 2003 Std Edition(Service Pack 2).

Attack Details,

A account created with administrative privilege and while we checked, it 's logged on with that account, strange thing is, it's showing built in account, also a exe file called AutoSQL and it started scanning lot's of Public IP's, looks like it broadcasting,

created account is hackp13$, and on event log, it showing following successful logon.

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 551
Date: 25/04/2008
Time: 6:25:01 PM
User: AFT-PROXY\hackp13$
Computer: AFT-PROXY
Description:
User initiated logoff:
User Name: hackp13$
Domain: AFT-PROXY
Logon ID: (0x0,0x3b7fec)

After initial shock, we did scan with Microsoft Baseline Security Analyzer, it's showing 3 critical update, and 2 important update reqd. and most interesting part is when I was installing update via Windows update, suddenly hacker take my full desktop control, accessing my mouse, keyboard, and cancel update, then open Internet Explorer, open a site,

Service Window.

1z6f3uo.jpg

AutoSql

15ib57n.jpg

IP Scan

xfriht.jpg

Netstat 1

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\Documents and Settings\hackp13$>netstat

Active Connections

Proto Local Address Foreign Address State
TCP asdf:1047 asdf:ms-sql-s ESTABLISHED
TCP asdf:1048 asdf:ms-sql-s ESTABLISHED
TCP asdf:1050 asdf:ms-sql-s ESTABLISHED
TCP asdf:1051 asdf:ms-sql-s ESTABLISHED
TCP asdf:1052 asdf:ms-sql-s ESTABLISHED
TCP asdf:1053 asdf:ms-sql-s ESTABLISHED
TCP asdf:1054 asdf:ms-sql-s ESTABLISHED
TCP asdf:ms-sql-s asdf:1047 ESTABLISHED
TCP asdf:ms-sql-s asdf:1048 ESTABLISHED
TCP asdf:ms-sql-s asdf:1050 ESTABLISHED
TCP asdf:ms-sql-s asdf:1051 ESTABLISHED
TCP asdf:ms-sql-s asdf:1052 ESTABLISHED
TCP asdf:ms-sql-s asdf:1053 ESTABLISHED
TCP asdf:ms-sql-s asdf:1054 ESTABLISHED
TCP asdf:2602 asdf:7000 ESTABLISHED
TCP asdf:3103 asdf:7000 CLOSE_WAIT
TCP asdf:5001 asdf:1088 CLOSE_WAIT
TCP asdf:7000 asdf:2602 ESTABLISHED
TCP asdf:7000 asdf:3103 FIN_WAIT_2
TCP asdf:1637 222.76.64.57:8000 ESTABLISHED
TCP asdf:2603 207.46.110.40:http ESTABLISHED
TCP asdf:8080 192.168.16.29:1529 ESTABLISHED
TCP asdf:8080 192.168.33.75:4849 TIME_WAIT
TCP asdf:8080 192.168.33.75:4854 TIME_WAIT
^C
C:\Documents and Settings\hackp13$>netstat -n

Active Connections

Proto Local Address Foreign Address State
TCP 127.0.0.1:1047 127.0.0.1:1433 ESTABLISHED
TCP 127.0.0.1:1048 127.0.0.1:1433 ESTABLISHED
TCP 127.0.0.1:1050 127.0.0.1:1433 ESTABLISHED
TCP 127.0.0.1:1051 127.0.0.1:1433 ESTABLISHED
TCP 127.0.0.1:1052 127.0.0.1:1433 ESTABLISHED
TCP 127.0.0.1:1053 127.0.0.1:1433 ESTABLISHED
TCP 127.0.0.1:1054 127.0.0.1:1433 ESTABLISHED
TCP 127.0.0.1:1433 127.0.0.1:1047 ESTABLISHED
TCP 127.0.0.1:1433 127.0.0.1:1048 ESTABLISHED
TCP 127.0.0.1:1433 127.0.0.1:1050 ESTABLISHED
TCP 127.0.0.1:1433 127.0.0.1:1051 ESTABLISHED
TCP 127.0.0.1:1433 127.0.0.1:1052 ESTABLISHED
TCP 127.0.0.1:1433 127.0.0.1:1053 ESTABLISHED
TCP 127.0.0.1:1433 127.0.0.1:1054 ESTABLISHED
TCP 127.0.0.1:2602 127.0.0.1:7000 ESTABLISHED
TCP 127.0.0.1:3175 127.0.0.1:7000 ESTABLISHED
TCP 127.0.0.1:5001 127.0.0.1:1088 CLOSE_WAIT
TCP 127.0.0.1:7000 127.0.0.1:2602 ESTABLISHED
TCP 127.0.0.1:7000 127.0.0.1:3103 TIME_WAIT
TCP 127.0.0.1:7000 127.0.0.1:3175 ESTABLISHED
TCP 192.168.33.3:1637 222.76.64.57:8000 ESTABLISHED
TCP 192.168.33.3:2603 207.46.110.40:80 ESTABLISHED
TCP 192.168.33.3:3176 74.54.68.215:80 ESTABLISHED
TCP 192.168.33.3:8080 192.168.16.29:1529 ESTABLISHED
TCP 192.168.33.3:8080 192.168.33.75:4849 TIME_WAIT
TCP 192.168.33.3:8080 192.168.33.75:4854 TIME_WAIT
TCP 192.168.33.3:8080 192.168.44.22:2778 TIME_WAIT
TCP 192.168.33.3:8080 192.168.44.22:2779 TIME_WAIT
TCP 192.168.33.3:8080 192.168.44.22:2780 TIME_WAIT
TCP 192.168.33.3:8080 192.168.44.22:2782 ESTABLISHED
TCP 192.168.33.3:8080 192.168.44.22:2783 TIME_WAIT
TCP 192.168.33.3:8080 192.168.44.22:2784 TIME_WAIT
TCP 192.168.33.3:8080 192.168.90.60:1746 FIN_WAIT_2
TCP 192.168.33.3:8080 192.168.90.60:1747 FIN_WAIT_2

C:\Documents and Settings\hackp13$>

Netstat 2

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\Documents and Settings\hackp13$>netstat -nr

Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x1000003 ...00 11 11 5f 28 60 ...... Intel(R) PRO/1000 CT Network Connection
0x1000004 ...00 11 11 5f 28 62 ...... Intel(R) PRO/100 VE Network Connection
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.33.154 192.168.33.3 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.0.0.0 255.0.0.0 192.168.33.154 192.168.33.3 1
192.168.10.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.11.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.12.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.14.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.16.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.18.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.20.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.22.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.23.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.24.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.25.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.31.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.33.0 255.255.255.0 192.168.33.3 192.168.33.3 1
192.168.33.3 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.33.255 255.255.255.255 192.168.33.3 192.168.33.3 1
192.168.36.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.37.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.38.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.39.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.44.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.45.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.60.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.61.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.64.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.65.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.66.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.67.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.68.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.70.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.80.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.88.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.90.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.100.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.140.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.171.0 255.255.255.0 192.168.33.154 192.168.33.3 1
224.0.0.0 224.0.0.0 192.168.33.3 192.168.33.3 1
255.255.255.255 255.255.255.255 192.168.33.3 192.168.33.3 1
Default Gateway: 192.168.33.154
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
192.168.22.0 255.255.255.0 192.168.33.154 1
192.168.23.0 255.255.255.0 192.168.33.154 1
192.168.11.0 255.255.255.0 192.168.33.154 1
192.168.14.0 255.255.255.0 192.168.33.154 1
192.168.24.0 255.255.255.0 192.168.33.154 1
192.168.16.0 255.255.255.0 192.168.33.154 1
192.168.12.0 255.255.255.0 192.168.33.154 1
192.168.44.0 255.255.255.0 192.168.33.154 1
192.168.45.0 255.255.255.0 192.168.33.154 1
192.168.88.0 255.255.255.0 192.168.33.154 1
192.168.38.0 255.255.255.0 192.168.33.154 1
192.168.31.0 255.255.255.0 192.168.33.154 1
192.168.37.0 255.255.255.0 192.168.33.154 1
192.168.39.0 255.255.255.0 192.168.33.154 1
192.168.36.0 255.255.255.0 192.168.33.154 1
192.168.100.0 255.255.255.0 192.168.33.154 1
192.168.20.0 255.255.255.0 192.168.33.154 1
192.168.80.0 255.255.255.0 192.168.33.154 1
192.168.10.0 255.255.255.0 192.168.33.154 1
192.168.140.0 255.255.255.0 192.168.33.154 1
172.0.0.0 255.0.0.0 192.168.33.154 1
192.168.25.0 255.255.255.0 192.168.33.154 1
192.168.90.0 255.255.255.0 192.168.33.154 1
192.168.60.0 255.255.255.0 192.168.33.154 1
192.168.61.0 255.255.255.0 192.168.33.154 1
192.168.66.0 255.255.255.0 192.168.33.154 1
192.168.67.0 255.255.255.0 192.168.33.154 1
192.168.64.0 255.255.255.0 192.168.33.154 1
192.168.65.0 255.255.255.0 192.168.33.154 1
192.168.68.0 255.255.255.0 192.168.33.154 1
192.168.70.0 255.255.255.0 192.168.33.154 1
192.168.18.0 255.255.255.0 192.168.33.154 1
192.168.171.0 255.255.255.0 192.168.33.154 1

C:\Documents and Settings\hackp13$>

We hav PIX in our workplace..

We hav Trend Micro office scan..

Using Trend Micro Proxy Server..

Is there any new vulnerability on 2003 server??

Please help....

Edited by justhink
Link to comment
Share on other sites


Note that you can create a free security case with Microsoft support on this - if you're in the US or Canada, call (866) 727-2338. If you're elsewhere, try http://support.microsoft.com/common/international.aspx.

As to the hotfixes, the first thing I would do is download them on another machine, put them on something like a USB key, and then remove the infected server(s) from the network COMPLETELY and install any missing hotfixes. Next, do a FULL scan of the machine with a virus scanner. If it doesn't find anything, then consider those machines compromised (I'd do this first, but some people like to save servers for some reason) and rebuild offline.

Next thing to do is start actively monitoring any ingress and egress points from your network for suspicious activity (and make sure that your servers are fully patched, and enable the windows firewall and only open necessary ports if possible).

Link to comment
Share on other sites

I've not seen that particular one before - looks like some sort of remote hack though. Again, I'd rebuild those boxes, but cleaning them offline might be sufficient if you can't afford the downtime associated with a rebuild (although, you'll never be sure they're completely clean without rebuilding...).

Link to comment
Share on other sites

I've not seen that particular one before - looks like some sort of remote hack though. Again, I'd rebuild those boxes, but cleaning them offline might be sufficient if you can't afford the downtime associated with a rebuild (although, you'll never be sure they're completely clean without rebuilding...).

System Rebuild complete, rebuild in offiline, then fully patched, also blocked all direct internet access... Till now no more hack,

If there is any new vulnerability on 2003 server, then i am sure they will hack again, coz our external ip are same..

Now we just ahv to wait untill next attack..

Thanks for your kind help..

JusThinK

Link to comment
Share on other sites

I've not seen that particular one before - looks like some sort of remote hack though. Again, I'd rebuild those boxes, but cleaning them offline might be sufficient if you can't afford the downtime associated with a rebuild (although, you'll never be sure they're completely clean without rebuilding...).

System Rebuild complete, rebuild in offiline, then fully patched, also blocked all direct internet access... Till now no more hack,

If there is any new vulnerability on 2003 server, then i am sure they will hack again, coz our external ip are same..

Now we just ahv to wait untill next attack..

Thanks for your kind help..

JusThinK

Are these proxy servers behind a firewall at all?

Link to comment
Share on other sites

I've not seen that particular one before - looks like some sort of remote hack though. Again, I'd rebuild those boxes, but cleaning them offline might be sufficient if you can't afford the downtime associated with a rebuild (although, you'll never be sure they're completely clean without rebuilding...).

System Rebuild complete, rebuild in offiline, then fully patched, also blocked all direct internet access... Till now no more hack,

If there is any new vulnerability on 2003 server, then i am sure they will hack again, coz our external ip are same..

Now we just ahv to wait untill next attack..

Thanks for your kind help..

JusThinK

Are these proxy servers behind a firewall at all?

Yea, all are behind PIX Firewall, but allowed to access direct internet using DNS ip of ISP.

Link to comment
Share on other sites

Yea, all are behind PIX Firewall, but allowed to access direct internet using DNS ip of ISP.
At this point, I'd make certain that NO ports are open to these INBOUND FROM the PIX firewall, and that only necessary ports for internet access are open OUTBOUND TO the PIX firewall as well. This should limit your exposure, although having a box fully patched (and potentially running antivirus software at the current moment) is a good thing too.

Good luck.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...