• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

So I have been hacked (or a client has more precisely)

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.
redwraith94

redwraith94

Member
Joined
Feb 17, 2005
Symantec Noticed a slew of trojan horses, netcat, gethash.exe, ipcscan-gui.exe uploaded to one of our customers servers. This happened around 5:00 am or so on multiple days. I found the ******** ip address, but it is out of an isp in italy.

I doubt we will be able to do anything prosecution wise, but here is what I have found:

He has an epson printer (it tried to install the driver after he rdp'ed in)
He were able to retreive the hashes out of active directory, I have to assume that as Symantec was unable to clean gethash.exe after it had been copied, so again I assume that was because it was running.
He created two accounts, and made them domain admins.
He installed the "HTTP SSH" service, which has been removed.

I ran rootkit revealer, we changed passwords, removed all trojans etc.

My problem now is that while I was looking over the server logs this morning, the only slew of failed auths happened at 5:22 - 5:23 am (a few dozen) from process store.exe trying to auth as the admin account.

Store.exe (the Exchange Info Store) is running as local system, as it should be. I can think of no good reason, and am perhaps being paranoid, but I must ask anyone who might know.

Is it reasonable to assume that store.exe could be compromised? I base this on a few more things:
This guy usually connects around 5-6 am est, which is about 10:00 am in Rome Italy (his source ip)
There were a few dozen attempts right at 5:22 am, all failures to auth as the admin account, they came from the process id of store.exe.

This is an sbs server running exchange sp2, with all *known updates applied. I don't like running exchange on a dc, but it isn't my call. We should change the name of the admin account too, but that also isn't my call.

I am not worried about him guessing the password, lm hashes have been disabled, and the password is a good one.

Any ideas on hardening this box, and could store be compromised? I don't see any good reason for that process to try to auth as anything but local system.
 
perhaps at this point it would be more prudent to not take risks and backup any pertinent information to tape or CD and reformat/reinstall/reupdate so that you are positive you are starting with clean install files and don't have any traces left behind by your perpetrator. I'd rather be safe than sorry. If this is a corporate machine, hopefully you have an image onhand to make the process easier. If the machine is on a domain with shared network drives then I would not stop your investigation at this machine alone.

My qualifications: from 199-2001, I was on a team that specialized in virus and spyware removal, combat and prevention. we were a strike team that was called in when the poop had already hit the fan during the Y2k craze.
 
FudgeNuggets said:
perhaps at this point it would be more prudent to not take risks and backup any pertinent information to tape or CD and reformat/reinstall/reupdate so that you are positive you are starting with clean install files and don't have any traces left behind by your perpetrator. I'd rather be safe than sorry. If this is a corporate machine, hopefully you have an image onhand to make the process easier. If the machine is on a domain with shared network drives then I would not stop your investigation at this machine alone.
Click to expand...


I was assuming that you were already going to wipe the machine and start from scratch.

Fudge is correct though, if a single machine is compromised and the cuplrit has made himself domain admin, all machines will be compromised.

You need to totally redo your password scheme and blow away ALL existing passwords.
 
It is behind a cisco pix. We have wiped all passwords, but we don't have any images of the dc on hand, and don't have any other dc's available. It is a small company, and they prefer that we do as little work as possible, we can't always implement best practices for the same reason, they don't want us spending the time on it.

I need to learn alot more about security, so I am using this as an opportunity, we do contract work for them, we aren't there everyday. I still don't know how he broke in though, and that bugs me a great deal.
 
redwraith94 said:
It is behind a cisco pix. We have wiped all passwords, but we don't have any images of the dc on hand, and don't have any other dc's available. It is a small company, and they prefer that we do as little work as possible, we can't always implement best practices for the same reason, they don't want us spending the time on it.

I need to learn alot more about security, so I am using this as an opportunity, we do contract work for them, we aren't there everyday. I still don't know how he broke in though, and that bugs me a great deal.
Click to expand...

You need to go through every machine on that network with a fine tooth comb. The login was compromised somehow and without a clean install you will have to check EVERYTHING to verify he didnt install additional software/rootkits/backdoors etc elswhere.
 
i say its an employee who works there using an .it proxy :p who wants to have fun with the servers...
 
His address is Removed -Ridenow, which the ripe whois database says is based in Rome Italy.

this address tried the last unsuccessful authentication, right before successful authentication, and a couple minutes before symantec detected the trojans.

Some of the trojans, and vulnerability scanners were copied to this user's desktop, some trojans were copied to C:\windows\temp, and the gethash.exe, and spoolsv2.exe were copied into the \spool folder.

This guys was hacking our box for a number of days (~ a week), and during that time created the two domain admin accounts, as well as the http ssh server (3/6) it was running for a few days before I caught it.

I don't know how to go over these servers with a fine tooth comb. I need to be able to do it remotely, but aside from looking for oddball services running, what else can I do?

Does anyone know if store.exe may be compromised? I don't see any reason this process should try to impersonate another account...

also there was an ip from cox based in VA that attempted to connect via vpn 15 minutes (in the am) before some malware was copied. I am still looking into it, but I am not an authority on parsing event viewer logs.

Removed -Ridenow
Until you can prove it is not a spoof we can not allow an IP to be posted for all to see. Sorry.

I wasn't sure if posting his ip was against forum rules. I know that ip was used, because of the event log, but fair enough, sorry for the hassle.
 
Last edited:
The machine really needs to be formatted. Consider it compromised until this is done..
 
in the meantime, block the IP with a ACL on the pix.


if you need to know how to do this i'll try to help you to the best of my abilities. that will, at least take care of the user on that particular IP (presuming he's not proxying)


also, as others suggested backup what you can and wax the server, it sucks, but its gotta be done for the sake of you and your companies data that hasnt already been compromised. after you get it back up, do a base image to keep downtime to a minimal if this needs to be done in the future.


edit 2: also, talk to the ISP admin about this matter. (the italy admin) this is an abuse case, and will hopefully aid in atleast possibly banning the person from their ISP, however, i dont know what law's are like in italy.
 
So what is exposed to the internet on this system? It almost sounds like you're allowing all traffic through to this system (including NETBIOS/SMB). Before doing anything else I would take a look at what services (on the compromised server) are in place right now and see what is allowed in/out of the firewall.

From what it sounds like this system is a either a windows 2000/2003 Small Business Server, or an extremely unlucky Domain Controller that happens to be running Exchange. Take a look at any websites this system is running, if it has SQL or any custom based applications. More than likely if you reinstall you're going to have the same problem until you determine where/how the leak or exploit occurred. If it's not patched already, do so now - especially Exchange until you can determine the link. More than likely if the system was compromised by an exploit and there is a modified file, the windows patches will replace those.
 
Your lucky. My ftp server was hacked, and i had 80GB of random movies, porns, data. my data log pulled, 80GB that day, 17GB out on my home connection.

Just redo windows, and limit brute force all i can say. its not gonna be worth finding that *******.
 
imposter said:
Your lucky. My ftp server was hacked, and i had 80GB of random movies, porns, data. my data log pulled, 80GB that day, 17GB out on my home connection.

Just redo windows, and limit brute force all i can say. its not gonna be worth finding that *******.
Click to expand...

Hacked? Or someone guessed the password?
 
ratbuddy said:
Hacked? Or someone guessed the password?
Click to expand...

Its virtually the same thing, someone unauthorized gaining accesses to a machine, doesn't matter how they obtain the password, if they can guess it and not have to write a program to figure it out for them, more power to them.
 
well it depends what you define "hacking" or "hack"
just from a quick google, the first few beginning results show the following:

example:
# hack: Slang for any type of computer programing or, more specificially, attempting to bypass a security system.
# hacked: When an unauthorized programmer gains access into a secure network or Web site, usually by breaking security systems or using a stolen login and password.
Click to expand...
source: http://www.metromemetics.com/thelexicon/h.asp

b. To gain access to (a computer file or network) illegally or without authorization: hacked the firm's personnel database.
Click to expand...
source: http://www.thefreedictionary.com/Hacked

Think of it this way,
Is someone still breaking into a house if the door is unlocked and they just walk in?
Or is it only classified as breaking into the house if the door is locked and they smash the window?
 
Sorry for taking so long to get back here, I have been going over logs for the last week. I was wrong about the pix, (we usually go with pixies for our clients, but in this case it is a 'commercial grade linksys router') It does have firewall functionality, but it is not that good.

It does block traffic, and it is unfortunately an sbs server, it is up to date with patches, but is unfortunately running sql, exchange, and iis...on a dc. I know, I know. not my call.

It appears an employee in florida had domain admin credentials, and was not running av, his computer was infected with at least a trojan, and an mbr virus, when he logged in an ssh service was created (running as local system) for almost a week. From there two domain admin accounts were created, and the dc was rdp'ed into with one of them...The other account was only used once (according to the event logs), and it was used to try to update Backup Exec (msinstaller errors). I know that these accounts were not created by us, and they were the source of the entry.

I have done what I can to clean this thing up, and we looked for rootkits, trojans, and viruses as best as I know how.

The biggest thing bugging me know is the following two ips that were connected to the server:
TCP 0.0.0.0:10000 0.0.0.0:0 LISTENING 1768
[System]

TCP Servers_IP:18825 218dot1dot233dot11:26000 ESTABLISHED 1768
[System]

TCP 127.0.0.1:10000 127.0.0.1:6671 CLOSE_WAIT 1768
[System]

TCP 127.0.0.1:10000 127.0.0.1:3336 CLOSE_WAIT 1768
[System]

TCP 127.0.0.1:10000 127.0.0.1:6655 CLOSE_WAIT 1768
[System]

TCP 127.0.0.1:10000 127.0.0.1:3317 CLOSE_WAIT 1768
[System]

UDP 0.0.0.0:8064 *:* 1768
[System]

UDP 127.0.0.1:4727 *:* 1768
[System]

That first ip is out of shanghai (port 26000), and was connected to port 18825 on our end for at least an hour. To a process with id 1768, that was not listed in Task Manager, we have no services running on ports this high. The only services running are IIS (OWA), SMTP, POP3, M$ VPN. Everything else is firewalled. (With our commercial grade linksys router, whatever the hell that's worth.)

At this point I had downloaded Hook analyzer, and a few rootkit detection tools (not that an infected kernel would reveal itself), and port explorer.

The second ip was connected later, and out of Korea (from an isp with a 255 block of addresses lol, and connected to the Netbios SMB port 139

TCP Servers_IP:139 210dot126dot215dot254:3383 ESTABLISHED 4
[System]

I was watching this in Port Explorer, and his source port was changing multiple times per second, scrolling up from low ports, to higher ones (1000 to 5000 in just a few minutes). I disabled Netbios, only to realize that having Netbios disabled breaks Veritas Backup Exec :banghead:

This port IS FIREWALLED, so my only guess is that our box made an outbound connection to his?

I don't know. I have spent an enormous amount of time on this, and we are keeping the customer appraised of the situation, and discussing reformatting the box with them. but it bothers me that I still can't figure out what this douche is after (assuming it is the same person)

We have been monitoring the ips, but Port Explorer doesn't seem to have a way to alert of suspicious ip's connecting. We only have maybe 10 ip's or so that really need to be trusted, and if anything else connected (especially out of country) if it could fireoff an email / kill the connection that would be great.
 
Last edited:
You must log in or register to reply here.

Similar threads

don256us
A Team Challenge Has Been Brought! What will we do?
2 3
Replies
51
Views
1K
don256us
don256us
pwnmachine
Upgrading after a while... A lot has changed...
Replies
13
Views
796
EarthDog
EarthDog
TechWizard
SOLVED Unable to run more than 1 stick of RAM after AIO and 3080 Ti installation
2 3
Replies
55
Views
5K
TechWizard
TechWizard
techiemon
NAS used as a normal computing drive - benefits? Drive sizes? Seagate? WD?
Replies
6
Views
730
habbajabba
habbajabba
ottoaxel
Is the Windows Client Garabge or am I just Stupid/Unlucky?
Replies
1
Views
386
WhitehawkEQ
WhitehawkEQ
Back