Re: ServU-deamon trojan warning with McAfee

From: Fred Blum (h.f.blum_at_marketconnectnospam.nl)
Date: 09/29/04 

Date: Wed, 29 Sep 2004 16:22:55 +0200

Befor having a panic attack and screaming hell and fire, I want to know
where I stand. Working with Microsoft has never been safe. It's a matter of
functionality over security and stability. Nothing other then finding a FTP
trojan on my system has occured. FTP protocol has always been blocked. So
this program could have never been used. My logs and my ISP's logs don't
suggest our server has been misused, because there isn't any traffic to show
for.

This ports showing can also be caused by an issue having to do with our
ISP's provided and managed router. Therefor I need to know what i see in
Netstat.

Fred

"SuperGumby [SBS MVP]" <not@your.nellie> wrote in message
news:OlKnOripEHA.2032@TK2MSFTNGP10.phx.gbl...
> and it's quite easy to set a scheduled task to copy the ISA logs, which
> normally get deleted after *so many* days, to a location where you can
> retain them.
>
> Fred, we could discuss how to analyse this and how to do that to our
heart's
> content, but is it worthwhile?
>
> We're now discussing 'forensic research', finding out what happened and
why.
> If this is important to you you should probably look for a newsgroup
called
> my.god.I've.been.hacked.and.wanna.know.how.
>
> I appreciate that there is a reasonable desire to find out how and why and
I
> recognise that others having experienced a similar problem would be
> interested, but IMHO this is a task which takes 'hands on' and many hours,
I
> don't think I'm able to analyse it remotely.
>
> IMHO, again, you _may_ (because something I realised while thinking about
> things is that you may have legitimate cause to open ALL those ports,
except
> maybe the internet blackjack :) have a compromised system, based on data I
> have available. This PLAIN and SIMPLE shouldn't happen in an ISA
controlled
> IP space.
>
> A NETSTAT can reveal some information, but it shouldn't be considered
> conclusive. What happens if my system has been compromised by a trojan
which
> replaces the Exch SMTP server with its own version. My system is listening
> on IP.TCP:25 and I expect it to. Does it matter that something else is
> listening on that port and passes 'normal' traffic to my SMTP but also
> interprets anything sent with a start sequence of ***,&&&,))) as a command
> which should be handled by the trojan rather than passed to the
intercepted
> SMTP engine?
>
> A clean config SBS, particularly if ISA is involved, performed properly,
> should not suffer the symptoms you have.
>
> "Fred Blum" <h.f.blum@marketconnectnospam.nl> wrote in message
> news:usfOOOipEHA.3668@TK2MSFTNGP15.phx.gbl...
> >
> > In the past we had a problem with an employee accessing sites that are
not
> > "professional" ;-) So we now have to keep our logs.
> >
> > W2K SP4, ExcSP3, ISA SP2, SQLSP3 are apllied.
> >
> > How can I use Netstat to see what's going on? I have on my external
> > adapter
> > only needed TCP ports listening. In netstat I see UDP ports on 0.0.0.0
> > listening. New ports are opened and closed all the time in the higher
> > regions. Mostly for proxy server accessing sites. Now and again ports
are
> > connected for longer periods. For example the Taiwan Academic Network
had
> > a
> > connection established on port 23243 external port 7654. As I can't see
a
> > reason for that, I created a site and protocel rule for there IP range.
> >
> > How can I monitor what is happening via a port? Can the new netstat
> > with -o
> > function be used on W2K? Can connections be disconnected?
> >
> > This is new to me and disturbing because i can't distinguish between
> > normal
> > and abnormal behaviour, nor can I judge the potential dangers. We always
> > outsourced the security part. Now I feel I have to catch up quick. Any
> > good
> > reading suggestions?
> >
> > TIA,
> >
> > Fred
> >
> >
> > "Marina Roos [SBS-MVP]" <marina@roos.nodontwantspam.nl.com> wrote in
> > message
> > news:%23grFnHhpEHA.3300@TK2MSFTNGP12.phx.gbl...
> >> Hi Fred,
> >>
> >> Logs for 1.5 years? Where do you keep them?
> >> Are you able to use regedit now or reg32?
> >>
> >> Please let us know what you find out. You did apply the hotfixes for
SQL
> >> after installing SQL right (Slammer)?
> >>
> >> --
> >> Regards,
> >>
> >> Marina
> >> Microsoft SBS-MVP
> >>
> >> "Fred Blum" <h.f.blum@marketconnectnospam.nl> schreef in bericht
> >> news:uHoaiyfpEHA.800@TK2MSFTNGP14.phx.gbl...
> >> >
> >> > I went over our logs for the last 1.5 year. Outside our office hours
> >> > our
> >> > network activity is 0.0. I checked netstat -na and found that our
> > external
> >> > interface isn't listening at the ports mentioned by GRC.
> >> > I have a guess why these other ports show up at the GRC site and have
> >> > to
> >> > check. Other then not being able to start Regedit, other symptoms
have
> > not
> >> > been observed over this period. It was detected due a performance
> > problem
> >> > after adding SQL to this box.
> >> >
> >> > As you said saved ISA probably saved the day after an exploitation of
a
> >> W2K
> >> > (sasser) or IE vulnerability.
> >> >
> >> > TIA,
> >> >
> >> > Fred
> >> >
> >> > "SuperGumby [SBS MVP]" <not@your.nellie> wrote in message
> >> > news:O$Xb2$UpEHA.3196@tk2msftngp13.phx.gbl...
> >> > > Marina, FTP was the result not the cause (that's my read anyway).
> >> > >
> >> > > Fred, many would suggest the box has been compromised beyond a
> > tolerable
> >> > > level, it's time to flatten it and start again. I'd sortta agree
with
> >> > them.
> >> > >
> >> > > I wonder if ISA actually saved the day. If you were infected by
> >> accidently
> >> > > visiting a site and the trojan was loaded via an IE vulnerability
it
> >> _MAY_
> >> > > be that that is as far as the infection went. It will be
interesting
> > to
> >> > see
> >> > > what difference in your internet usage occurs before/during
infection
> >> and
> >> > > since cleaning.
> >> > >
> >> > > "Marina Roos [SBS-MVP]" <marina@roos.nodontwantspam.nl.com> wrote
in
> >> > message
> >> > > news:%238gxIoUpEHA.516@TK2MSFTNGP09.phx.gbl...
> >> > > > Hi Fred,
> >> > > >
> >> > > > FTP FTP FTP.
> >> > > >
> >> > > > You did it to yourself by having FTP server on your SBS box
without
> >> the
> >> > > > least security. Did you have port 21 open on your server? Which
> > other
> >> > > > ports?
> >> > > >
> >> > > > --
> >> > > > Regards,
> >> > > >
> >> > > > Marina
> >> > > > Microsoft SBS-MVP
> >> > > >
> >> > > > "Fred Blum" <h.f.blum@marketconnectnospam.nl> schreef in bericht
> >> > > > news:uc4DbKUpEHA.1164@TK2MSFTNGP10.phx.gbl...
> >> > > >>
> >> > > >> We found two ServU-deamon trojans on our SBS server. This type
of
> >> > trojan
> >> > > > is
> >> > > >> NOT standard detected by McAfee VirusScan 4.5 or V7.
> >> > > >>
> >> > > >> Go to http://vil.nai.com/vil/content/v_125021.htm for
information
> > on
> >> > how
> >> > > > to
> >> > > >> configure V7 to detect this type of program. With 4.5 run the
> >> command
> >> > > > line
> >> > > >> scanner with the /PROGRAM switch.
> >> > > >> 1.. Click the START button
> >> > > >> 2.. Click RUN
> >> > > >> 3.. Type COMMAND and hit ENTER
> >> > > >> 4.. Type:
> >> > > >>
> >> > > >> c:\progra~1\common~1\networ~1\viruss~1\4.0.xx\scan.exe c:
> > /program
> >> > /sub
> >> > > >>
> >> > > >> and hit ENTER.
> >> > > >> The first one was picked up while not yet running as svchost.exe
> >> > > >> in
> >> the
> >> > > >> directory C:\winnt\system32\spool\nt\svchost.exe by our scanner.
> >> > Running
> >> > > >> a
> >> > > >> full scan we found regedit.exe in the system32 directory. This
> >> instance
> >> > > > was
> >> > > >> started as a service in the registry. As a symptom regedit would
> > not
> >> > > > start.
> >> > > >> This problem occured about half a year ago. So since half a year
> >> > > >> we
> >> > have
> >> > > >> been running a FTP server on our server.
> >> > > >>
> >> > > >> The question is how we came infected? And what damage can the do
> >> > running
> >> > > >> a
> >> > > >> FTP server on our SBS box?
> >> > > >> The regedit.exe infection occured around the time the sasser
patch
> >> came
> >> > > >> available. According to the MS site our server was infected. Our
> >> virus
> >> > > > scan
> >> > > >> software didn't pick up this infection altough the DAT file
> > included
> >> > the
> >> > > >> description for sasser. So during the time of sasser and the
patch
> >> > coming
> >> > > >> available we could have been infected.
> >> > > >> How did svchost.exe infect our system? We are fully patched and
> >> > > >> our
> >> > > >> virusscanner is uptodate. The FTP trojan could be the cause. But
> > what
> >> > > > would
> >> > > >> be the point in loading two FTP trojans? According to our System
> >> > > > Intregrator
> >> > > >> visting a webiste with IE on this server could be a cause
aswell.
> > IE
> >> is
> >> > > > only
> >> > > >> used as an exeption while vistiting the microsoft site to look
up
> > the
> >> > > >> techdoc's. On that day I made a typo and ended up at the
> >> > > >> www.micorsoft.com
> >> > > >> website. IE is patched aswell to the latest level.
> >> > > >> ISA, SQL and Exchange are patched to the latest level. I'm
> >> > > >> worried
> >> > that
> >> > > > ISA
> >> > > >> is not doing a sufficient job. Is there a best pratice tool for
> > ISA?
> >> Or
> >> > a
> >> > > >> document what ports need to be opened and for what reason? How
can
> >> > > > specific
> >> > > >> ports be made Stealth?
> >> > > >>
> >> > > >> TIA,
> >> > > >>
> >> > > >> Regards,
> >> > > >>
> >> > > >> Fred
> >> > > >>
> >> > > >>
> >> > > >>
> >> > > >>
> >> > > >>
> >> > > >>
> >> > > >>
> >> > > >>
> >> > > >>
> >> > > >
> >> > > >
> >> > >
> >> > >
> >> >
> >> >
> >>
> >>
> >
> >
>
>

Loading