Re: ServU-deamon trojan warning with McAfee

From: SuperGumby [SBS MVP] (not_at_your.nellie)
Date: 09/29/04 

Date: Wed, 29 Sep 2004 23:47:01 +1000

and it's quite easy to set a scheduled task to copy the ISA logs, which
normally get deleted after *so many* days, to a location where you can
retain them.

Fred, we could discuss how to analyse this and how to do that to our heart's
content, but is it worthwhile?

We're now discussing 'forensic research', finding out what happened and why.
If this is important to you you should probably look for a newsgroup called
my.god.I've.been.hacked.and.wanna.know.how.

I appreciate that there is a reasonable desire to find out how and why and I
recognise that others having experienced a similar problem would be
interested, but IMHO this is a task which takes 'hands on' and many hours, I
don't think I'm able to analyse it remotely.

IMHO, again, you _may_ (because something I realised while thinking about
things is that you may have legitimate cause to open ALL those ports, except
maybe the internet blackjack :) have a compromised system, based on data I
have available. This PLAIN and SIMPLE shouldn't happen in an ISA controlled
IP space.

A NETSTAT can reveal some information, but it shouldn't be considered
conclusive. What happens if my system has been compromised by a trojan which
replaces the Exch SMTP server with its own version. My system is listening
on IP.TCP:25 and I expect it to. Does it matter that something else is
listening on that port and passes 'normal' traffic to my SMTP but also
interprets anything sent with a start sequence of ***,&&&,))) as a command
which should be handled by the trojan rather than passed to the intercepted
SMTP engine?

A clean config SBS, particularly if ISA is involved, performed properly,
should not suffer the symptoms you have.

"Fred Blum" <h.f.blum@marketconnectnospam.nl> wrote in message
news:usfOOOipEHA.3668@TK2MSFTNGP15.phx.gbl...
>
> In the past we had a problem with an employee accessing sites that are not
> "professional" ;-) So we now have to keep our logs.
>
> W2K SP4, ExcSP3, ISA SP2, SQLSP3 are apllied.
>
> How can I use Netstat to see what's going on? I have on my external
> adapter
> only needed TCP ports listening. In netstat I see UDP ports on 0.0.0.0
> listening. New ports are opened and closed all the time in the higher
> regions. Mostly for proxy server accessing sites. Now and again ports are
> connected for longer periods. For example the Taiwan Academic Network had
> a
> connection established on port 23243 external port 7654. As I can't see a
> reason for that, I created a site and protocel rule for there IP range.
>
> How can I monitor what is happening via a port? Can the new netstat
> with -o
> function be used on W2K? Can connections be disconnected?
>
> This is new to me and disturbing because i can't distinguish between
> normal
> and abnormal behaviour, nor can I judge the potential dangers. We always
> outsourced the security part. Now I feel I have to catch up quick. Any
> good
> reading suggestions?
>
> TIA,
>
> Fred
>
>
> "Marina Roos [SBS-MVP]" <marina@roos.nodontwantspam.nl.com> wrote in
> message
> news:%23grFnHhpEHA.3300@TK2MSFTNGP12.phx.gbl...
>> Hi Fred,
>>
>> Logs for 1.5 years? Where do you keep them?
>> Are you able to use regedit now or reg32?
>>
>> Please let us know what you find out. You did apply the hotfixes for SQL
>> after installing SQL right (Slammer)?
>>
>> --
>> Regards,
>>
>> Marina
>> Microsoft SBS-MVP
>>
>> "Fred Blum" <h.f.blum@marketconnectnospam.nl> schreef in bericht
>> news:uHoaiyfpEHA.800@TK2MSFTNGP14.phx.gbl...
>> >
>> > I went over our logs for the last 1.5 year. Outside our office hours
>> > our
>> > network activity is 0.0. I checked netstat -na and found that our
> external
>> > interface isn't listening at the ports mentioned by GRC.
>> > I have a guess why these other ports show up at the GRC site and have
>> > to
>> > check. Other then not being able to start Regedit, other symptoms have
> not
>> > been observed over this period. It was detected due a performance
> problem
>> > after adding SQL to this box.
>> >
>> > As you said saved ISA probably saved the day after an exploitation of a
>> W2K
>> > (sasser) or IE vulnerability.
>> >
>> > TIA,
>> >
>> > Fred
>> >
>> > "SuperGumby [SBS MVP]" <not@your.nellie> wrote in message
>> > news:O$Xb2$UpEHA.3196@tk2msftngp13.phx.gbl...
>> > > Marina, FTP was the result not the cause (that's my read anyway).
>> > >
>> > > Fred, many would suggest the box has been compromised beyond a
> tolerable
>> > > level, it's time to flatten it and start again. I'd sortta agree with
>> > them.
>> > >
>> > > I wonder if ISA actually saved the day. If you were infected by
>> accidently
>> > > visiting a site and the trojan was loaded via an IE vulnerability it
>> _MAY_
>> > > be that that is as far as the infection went. It will be interesting
> to
>> > see
>> > > what difference in your internet usage occurs before/during infection
>> and
>> > > since cleaning.
>> > >
>> > > "Marina Roos [SBS-MVP]" <marina@roos.nodontwantspam.nl.com> wrote in
>> > message
>> > > news:%238gxIoUpEHA.516@TK2MSFTNGP09.phx.gbl...
>> > > > Hi Fred,
>> > > >
>> > > > FTP FTP FTP.
>> > > >
>> > > > You did it to yourself by having FTP server on your SBS box without
>> the
>> > > > least security. Did you have port 21 open on your server? Which
> other
>> > > > ports?
>> > > >
>> > > > --
>> > > > Regards,
>> > > >
>> > > > Marina
>> > > > Microsoft SBS-MVP
>> > > >
>> > > > "Fred Blum" <h.f.blum@marketconnectnospam.nl> schreef in bericht
>> > > > news:uc4DbKUpEHA.1164@TK2MSFTNGP10.phx.gbl...
>> > > >>
>> > > >> We found two ServU-deamon trojans on our SBS server. This type of
>> > trojan
>> > > > is
>> > > >> NOT standard detected by McAfee VirusScan 4.5 or V7.
>> > > >>
>> > > >> Go to http://vil.nai.com/vil/content/v_125021.htm for information
> on
>> > how
>> > > > to
>> > > >> configure V7 to detect this type of program. With 4.5 run the
>> command
>> > > > line
>> > > >> scanner with the /PROGRAM switch.
>> > > >> 1.. Click the START button
>> > > >> 2.. Click RUN
>> > > >> 3.. Type COMMAND and hit ENTER
>> > > >> 4.. Type:
>> > > >>
>> > > >> c:\progra~1\common~1\networ~1\viruss~1\4.0.xx\scan.exe c:
> /program
>> > /sub
>> > > >>
>> > > >> and hit ENTER.
>> > > >> The first one was picked up while not yet running as svchost.exe
>> > > >> in
>> the
>> > > >> directory C:\winnt\system32\spool\nt\svchost.exe by our scanner.
>> > Running
>> > > >> a
>> > > >> full scan we found regedit.exe in the system32 directory. This
>> instance
>> > > > was
>> > > >> started as a service in the registry. As a symptom regedit would
> not
>> > > > start.
>> > > >> This problem occured about half a year ago. So since half a year
>> > > >> we
>> > have
>> > > >> been running a FTP server on our server.
>> > > >>
>> > > >> The question is how we came infected? And what damage can the do
>> > running
>> > > >> a
>> > > >> FTP server on our SBS box?
>> > > >> The regedit.exe infection occured around the time the sasser patch
>> came
>> > > >> available. According to the MS site our server was infected. Our
>> virus
>> > > > scan
>> > > >> software didn't pick up this infection altough the DAT file
> included
>> > the
>> > > >> description for sasser. So during the time of sasser and the patch
>> > coming
>> > > >> available we could have been infected.
>> > > >> How did svchost.exe infect our system? We are fully patched and
>> > > >> our
>> > > >> virusscanner is uptodate. The FTP trojan could be the cause. But
> what
>> > > > would
>> > > >> be the point in loading two FTP trojans? According to our System
>> > > > Intregrator
>> > > >> visting a webiste with IE on this server could be a cause aswell.
> IE
>> is
>> > > > only
>> > > >> used as an exeption while vistiting the microsoft site to look up
> the
>> > > >> techdoc's. On that day I made a typo and ended up at the
>> > > >> www.micorsoft.com
>> > > >> website. IE is patched aswell to the latest level.
>> > > >> ISA, SQL and Exchange are patched to the latest level. I'm
>> > > >> worried
>> > that
>> > > > ISA
>> > > >> is not doing a sufficient job. Is there a best pratice tool for
> ISA?
>> Or
>> > a
>> > > >> document what ports need to be opened and for what reason? How can
>> > > > specific
>> > > >> ports be made Stealth?
>> > > >>
>> > > >> TIA,
>> > > >>
>> > > >> Regards,
>> > > >>
>> > > >> Fred
>> > > >>
>> > > >>
>> > > >>
>> > > >>
>> > > >>
>> > > >>
>> > > >>
>> > > >>
>> > > >>
>> > > >
>> > > >
>> > >
>> > >
>> >
>> >
>>
>>
>
>