Re: ServU-deamon trojan warning with McAfee
From: SuperGumby [SBS MVP] (not_at_your.nellie)
Date: 09/29/04
- Next message: Lanwench [MVP - Exchange]: "Re: Running ICW"
- Previous message: Dave Nickason [SBS MVP]: "Re: Firewall Client Install Errors"
- In reply to: Fred Blum: "Re: ServU-deamon trojan warning with McAfee"
- Next in thread: Fred Blum: "Re: ServU-deamon trojan warning with McAfee"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 30 Sep 2004 00:47:03 +1000
NO, the problem goes further than that.
'Nothing other then finding a FTP trojan on my system has occured.' can be
elsewise read as 'someone installed a program on my system without my
knowledge'. My question is whether something you have not yet detected is on
the system.
Your ISA, according to the port report you posted, is letting through a lot
of unexpected things. If neither your system integrator nor you can explain
why then a third party is responsible.
I'm not 'chicken little'. I ignore a lot of posts in this group where
someone asks 'what is this traffic'. I've even suggested Susan sometimes
behaves in an 'alarmist' manner. I'm also surprised Susan isn't on a plane
with her 2*4 heading your way. (and from all accounts this would compound
your problems :)
I WILL scream 'hell and high water', because in my belief either you, your
integrator, or a third party is responsible for this.
"Fred Blum" <h.f.blum@marketconnectnospam.nl> wrote in message
news:eGynR$ipEHA.4008@TK2MSFTNGP14.phx.gbl...
>
> Befor having a panic attack and screaming hell and fire, I want to know
> where I stand. Working with Microsoft has never been safe. It's a matter
> of
> functionality over security and stability. Nothing other then finding a
> FTP
> trojan on my system has occured. FTP protocol has always been blocked. So
> this program could have never been used. My logs and my ISP's logs don't
> suggest our server has been misused, because there isn't any traffic to
> show
> for.
>
> This ports showing can also be caused by an issue having to do with our
> ISP's provided and managed router. Therefor I need to know what i see in
> Netstat.
>
> Fred
>
> "SuperGumby [SBS MVP]" <not@your.nellie> wrote in message
> news:OlKnOripEHA.2032@TK2MSFTNGP10.phx.gbl...
>> and it's quite easy to set a scheduled task to copy the ISA logs, which
>> normally get deleted after *so many* days, to a location where you can
>> retain them.
>>
>> Fred, we could discuss how to analyse this and how to do that to our
> heart's
>> content, but is it worthwhile?
>>
>> We're now discussing 'forensic research', finding out what happened and
> why.
>> If this is important to you you should probably look for a newsgroup
> called
>> my.god.I've.been.hacked.and.wanna.know.how.
>>
>> I appreciate that there is a reasonable desire to find out how and why
>> and
> I
>> recognise that others having experienced a similar problem would be
>> interested, but IMHO this is a task which takes 'hands on' and many
>> hours,
> I
>> don't think I'm able to analyse it remotely.
>>
>> IMHO, again, you _may_ (because something I realised while thinking about
>> things is that you may have legitimate cause to open ALL those ports,
> except
>> maybe the internet blackjack :) have a compromised system, based on data
>> I
>> have available. This PLAIN and SIMPLE shouldn't happen in an ISA
> controlled
>> IP space.
>>
>> A NETSTAT can reveal some information, but it shouldn't be considered
>> conclusive. What happens if my system has been compromised by a trojan
> which
>> replaces the Exch SMTP server with its own version. My system is
>> listening
>> on IP.TCP:25 and I expect it to. Does it matter that something else is
>> listening on that port and passes 'normal' traffic to my SMTP but also
>> interprets anything sent with a start sequence of ***,&&&,))) as a
>> command
>> which should be handled by the trojan rather than passed to the
> intercepted
>> SMTP engine?
>>
>> A clean config SBS, particularly if ISA is involved, performed properly,
>> should not suffer the symptoms you have.
>>
>> "Fred Blum" <h.f.blum@marketconnectnospam.nl> wrote in message
>> news:usfOOOipEHA.3668@TK2MSFTNGP15.phx.gbl...
>> >
>> > In the past we had a problem with an employee accessing sites that are
> not
>> > "professional" ;-) So we now have to keep our logs.
>> >
>> > W2K SP4, ExcSP3, ISA SP2, SQLSP3 are apllied.
>> >
>> > How can I use Netstat to see what's going on? I have on my external
>> > adapter
>> > only needed TCP ports listening. In netstat I see UDP ports on 0.0.0.0
>> > listening. New ports are opened and closed all the time in the higher
>> > regions. Mostly for proxy server accessing sites. Now and again ports
> are
>> > connected for longer periods. For example the Taiwan Academic Network
> had
>> > a
>> > connection established on port 23243 external port 7654. As I can't see
> a
>> > reason for that, I created a site and protocel rule for there IP range.
>> >
>> > How can I monitor what is happening via a port? Can the new netstat
>> > with -o
>> > function be used on W2K? Can connections be disconnected?
>> >
>> > This is new to me and disturbing because i can't distinguish between
>> > normal
>> > and abnormal behaviour, nor can I judge the potential dangers. We
>> > always
>> > outsourced the security part. Now I feel I have to catch up quick. Any
>> > good
>> > reading suggestions?
>> >
>> > TIA,
>> >
>> > Fred
>> >
>> >
>> > "Marina Roos [SBS-MVP]" <marina@roos.nodontwantspam.nl.com> wrote in
>> > message
>> > news:%23grFnHhpEHA.3300@TK2MSFTNGP12.phx.gbl...
>> >> Hi Fred,
>> >>
>> >> Logs for 1.5 years? Where do you keep them?
>> >> Are you able to use regedit now or reg32?
>> >>
>> >> Please let us know what you find out. You did apply the hotfixes for
> SQL
>> >> after installing SQL right (Slammer)?
>> >>
>> >> --
>> >> Regards,
>> >>
>> >> Marina
>> >> Microsoft SBS-MVP
>> >>
>> >> "Fred Blum" <h.f.blum@marketconnectnospam.nl> schreef in bericht
>> >> news:uHoaiyfpEHA.800@TK2MSFTNGP14.phx.gbl...
>> >> >
>> >> > I went over our logs for the last 1.5 year. Outside our office hours
>> >> > our
>> >> > network activity is 0.0. I checked netstat -na and found that our
>> > external
>> >> > interface isn't listening at the ports mentioned by GRC.
>> >> > I have a guess why these other ports show up at the GRC site and
>> >> > have
>> >> > to
>> >> > check. Other then not being able to start Regedit, other symptoms
> have
>> > not
>> >> > been observed over this period. It was detected due a performance
>> > problem
>> >> > after adding SQL to this box.
>> >> >
>> >> > As you said saved ISA probably saved the day after an exploitation
>> >> > of
> a
>> >> W2K
>> >> > (sasser) or IE vulnerability.
>> >> >
>> >> > TIA,
>> >> >
>> >> > Fred
>> >> >
>> >> > "SuperGumby [SBS MVP]" <not@your.nellie> wrote in message
>> >> > news:O$Xb2$UpEHA.3196@tk2msftngp13.phx.gbl...
>> >> > > Marina, FTP was the result not the cause (that's my read anyway).
>> >> > >
>> >> > > Fred, many would suggest the box has been compromised beyond a
>> > tolerable
>> >> > > level, it's time to flatten it and start again. I'd sortta agree
> with
>> >> > them.
>> >> > >
>> >> > > I wonder if ISA actually saved the day. If you were infected by
>> >> accidently
>> >> > > visiting a site and the trojan was loaded via an IE vulnerability
> it
>> >> _MAY_
>> >> > > be that that is as far as the infection went. It will be
> interesting
>> > to
>> >> > see
>> >> > > what difference in your internet usage occurs before/during
> infection
>> >> and
>> >> > > since cleaning.
>> >> > >
>> >> > > "Marina Roos [SBS-MVP]" <marina@roos.nodontwantspam.nl.com> wrote
> in
>> >> > message
>> >> > > news:%238gxIoUpEHA.516@TK2MSFTNGP09.phx.gbl...
>> >> > > > Hi Fred,
>> >> > > >
>> >> > > > FTP FTP FTP.
>> >> > > >
>> >> > > > You did it to yourself by having FTP server on your SBS box
> without
>> >> the
>> >> > > > least security. Did you have port 21 open on your server? Which
>> > other
>> >> > > > ports?
>> >> > > >
>> >> > > > --
>> >> > > > Regards,
>> >> > > >
>> >> > > > Marina
>> >> > > > Microsoft SBS-MVP
>> >> > > >
>> >> > > > "Fred Blum" <h.f.blum@marketconnectnospam.nl> schreef in bericht
>> >> > > > news:uc4DbKUpEHA.1164@TK2MSFTNGP10.phx.gbl...
>> >> > > >>
>> >> > > >> We found two ServU-deamon trojans on our SBS server. This type
> of
>> >> > trojan
>> >> > > > is
>> >> > > >> NOT standard detected by McAfee VirusScan 4.5 or V7.
>> >> > > >>
>> >> > > >> Go to http://vil.nai.com/vil/content/v_125021.htm for
> information
>> > on
>> >> > how
>> >> > > > to
>> >> > > >> configure V7 to detect this type of program. With 4.5 run the
>> >> command
>> >> > > > line
>> >> > > >> scanner with the /PROGRAM switch.
>> >> > > >> 1.. Click the START button
>> >> > > >> 2.. Click RUN
>> >> > > >> 3.. Type COMMAND and hit ENTER
>> >> > > >> 4.. Type:
>> >> > > >>
>> >> > > >> c:\progra~1\common~1\networ~1\viruss~1\4.0.xx\scan.exe c:
>> > /program
>> >> > /sub
>> >> > > >>
>> >> > > >> and hit ENTER.
>> >> > > >> The first one was picked up while not yet running as
>> >> > > >> svchost.exe
>> >> > > >> in
>> >> the
>> >> > > >> directory C:\winnt\system32\spool\nt\svchost.exe by our
>> >> > > >> scanner.
>> >> > Running
>> >> > > >> a
>> >> > > >> full scan we found regedit.exe in the system32 directory. This
>> >> instance
>> >> > > > was
>> >> > > >> started as a service in the registry. As a symptom regedit
>> >> > > >> would
>> > not
>> >> > > > start.
>> >> > > >> This problem occured about half a year ago. So since half a
>> >> > > >> year
>> >> > > >> we
>> >> > have
>> >> > > >> been running a FTP server on our server.
>> >> > > >>
>> >> > > >> The question is how we came infected? And what damage can the
>> >> > > >> do
>> >> > running
>> >> > > >> a
>> >> > > >> FTP server on our SBS box?
>> >> > > >> The regedit.exe infection occured around the time the sasser
> patch
>> >> came
>> >> > > >> available. According to the MS site our server was infected.
>> >> > > >> Our
>> >> virus
>> >> > > > scan
>> >> > > >> software didn't pick up this infection altough the DAT file
>> > included
>> >> > the
>> >> > > >> description for sasser. So during the time of sasser and the
> patch
>> >> > coming
>> >> > > >> available we could have been infected.
>> >> > > >> How did svchost.exe infect our system? We are fully patched and
>> >> > > >> our
>> >> > > >> virusscanner is uptodate. The FTP trojan could be the cause.
>> >> > > >> But
>> > what
>> >> > > > would
>> >> > > >> be the point in loading two FTP trojans? According to our
>> >> > > >> System
>> >> > > > Intregrator
>> >> > > >> visting a webiste with IE on this server could be a cause
> aswell.
>> > IE
>> >> is
>> >> > > > only
>> >> > > >> used as an exeption while vistiting the microsoft site to look
> up
>> > the
>> >> > > >> techdoc's. On that day I made a typo and ended up at the
>> >> > > >> www.micorsoft.com
>> >> > > >> website. IE is patched aswell to the latest level.
>> >> > > >> ISA, SQL and Exchange are patched to the latest level. I'm
>> >> > > >> worried
>> >> > that
>> >> > > > ISA
>> >> > > >> is not doing a sufficient job. Is there a best pratice tool for
>> > ISA?
>> >> Or
>> >> > a
>> >> > > >> document what ports need to be opened and for what reason? How
> can
>> >> > > > specific
>> >> > > >> ports be made Stealth?
>> >> > > >>
>> >> > > >> TIA,
>> >> > > >>
>> >> > > >> Regards,
>> >> > > >>
>> >> > > >> Fred
>> >> > > >>
>> >> > > >>
>> >> > > >>
>> >> > > >>
>> >> > > >>
>> >> > > >>
>> >> > > >>
>> >> > > >>
>> >> > > >>
>> >> > > >
>> >> > > >
>> >> > >
>> >> > >
>> >> >
>> >> >
>> >>
>> >>
>> >
>> >
>>
>>
>
>
- Next message: Lanwench [MVP - Exchange]: "Re: Running ICW"
- Previous message: Dave Nickason [SBS MVP]: "Re: Firewall Client Install Errors"
- In reply to: Fred Blum: "Re: ServU-deamon trojan warning with McAfee"
- Next in thread: Fred Blum: "Re: ServU-deamon trojan warning with McAfee"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
