Re: ServU-deamon trojan warning with McAfee
From: Fred Blum (h.f.blum_at_nounsollicitedemail.nemad.nl)
Date: 10/01/04
- Next message: Fred Blum: "SBS2K rebuild roadmap"
- Previous message: Simon: "Exchange 2003 deployment on to win 98 pc"
- Next in thread: Marina Roos [SBS-MVP]: "Re: ServU-deamon trojan warning with McAfee"
- Reply: Marina Roos [SBS-MVP]: "Re: ServU-deamon trojan warning with McAfee"
- Reply: SuperGumby [SBS MVP]: "Re: ServU-deamon trojan warning with McAfee"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 1 Oct 2004 10:53:04 +0200
You're absolutely right, and I bow to that. I've found my box to be owned, a
webserver hidden in a recycler folder. I'm the eMule.
But this eMule needs to know how and what they did, in order to prevent
making the same mistake twice. Furthermore how far extends the damage? Does
it effect our local LAN, Active Directory, do they know our passwords and
logon id's? Should our file server a BDC be rebuild aswell?
We followed in the past the ICW to connect to the internet via a dial-up
connection. We only clicked what we needed being SMTP. Wenn we went to a
ADSL connection we called in the pro's to make ISA safe. The configured
policies, routes and packet filters. According to them ISA was safe.
I'm not sure about how, but now know what to look for. I can recommend
everybody the webmonitor by AAtools. It will give you windows based
interface to all your connections with ports, protocol, pids, processes and
directories. Thats's how I found there webserver. Stinger, McAfee 4.5 and
V7, Spysweeper and IFS internet scan did not find it in the past! This
program has a port scanner, proxy analyser, whois, trace route, etc.
I will take this opportunity to add a raid controllor to our server and do a
rebuild. I will start a new thread on a road map for that.
Thanks,
Fred
"SuperGumby [SBS MVP]" <not@your.nellie> wrote in message
news:OFGJxMjpEHA.3424@TK2MSFTNGP11.phx.gbl...
> NO, the problem goes further than that.
>
> 'Nothing other then finding a FTP trojan on my system has occured.' can be
> elsewise read as 'someone installed a program on my system without my
> knowledge'. My question is whether something you have not yet detected is
on
> the system.
>
> Your ISA, according to the port report you posted, is letting through a
lot
> of unexpected things. If neither your system integrator nor you can
explain
> why then a third party is responsible.
>
> I'm not 'chicken little'. I ignore a lot of posts in this group where
> someone asks 'what is this traffic'. I've even suggested Susan sometimes
> behaves in an 'alarmist' manner. I'm also surprised Susan isn't on a plane
> with her 2*4 heading your way. (and from all accounts this would compound
> your problems :)
>
> I WILL scream 'hell and high water', because in my belief either you, your
> integrator, or a third party is responsible for this.
>
> "Fred Blum" <h.f.blum@marketconnectnospam.nl> wrote in message
> news:eGynR$ipEHA.4008@TK2MSFTNGP14.phx.gbl...
> >
> > Befor having a panic attack and screaming hell and fire, I want to know
> > where I stand. Working with Microsoft has never been safe. It's a matter
> > of
> > functionality over security and stability. Nothing other then finding a
> > FTP
> > trojan on my system has occured. FTP protocol has always been blocked.
So
> > this program could have never been used. My logs and my ISP's logs don't
> > suggest our server has been misused, because there isn't any traffic to
> > show
> > for.
> >
> > This ports showing can also be caused by an issue having to do with our
> > ISP's provided and managed router. Therefor I need to know what i see in
> > Netstat.
> >
> > Fred
> >
> > "SuperGumby [SBS MVP]" <not@your.nellie> wrote in message
> > news:OlKnOripEHA.2032@TK2MSFTNGP10.phx.gbl...
> >> and it's quite easy to set a scheduled task to copy the ISA logs, which
> >> normally get deleted after *so many* days, to a location where you can
> >> retain them.
> >>
> >> Fred, we could discuss how to analyse this and how to do that to our
> > heart's
> >> content, but is it worthwhile?
> >>
> >> We're now discussing 'forensic research', finding out what happened and
> > why.
> >> If this is important to you you should probably look for a newsgroup
> > called
> >> my.god.I've.been.hacked.and.wanna.know.how.
> >>
> >> I appreciate that there is a reasonable desire to find out how and why
> >> and
> > I
> >> recognise that others having experienced a similar problem would be
> >> interested, but IMHO this is a task which takes 'hands on' and many
> >> hours,
> > I
> >> don't think I'm able to analyse it remotely.
> >>
> >> IMHO, again, you _may_ (because something I realised while thinking
about
> >> things is that you may have legitimate cause to open ALL those ports,
> > except
> >> maybe the internet blackjack :) have a compromised system, based on
data
> >> I
> >> have available. This PLAIN and SIMPLE shouldn't happen in an ISA
> > controlled
> >> IP space.
> >>
> >> A NETSTAT can reveal some information, but it shouldn't be considered
> >> conclusive. What happens if my system has been compromised by a trojan
> > which
> >> replaces the Exch SMTP server with its own version. My system is
> >> listening
> >> on IP.TCP:25 and I expect it to. Does it matter that something else is
> >> listening on that port and passes 'normal' traffic to my SMTP but also
> >> interprets anything sent with a start sequence of ***,&&&,))) as a
> >> command
> >> which should be handled by the trojan rather than passed to the
> > intercepted
> >> SMTP engine?
> >>
> >> A clean config SBS, particularly if ISA is involved, performed
properly,
> >> should not suffer the symptoms you have.
> >>
> >> "Fred Blum" <h.f.blum@marketconnectnospam.nl> wrote in message
> >> news:usfOOOipEHA.3668@TK2MSFTNGP15.phx.gbl...
> >> >
> >> > In the past we had a problem with an employee accessing sites that
are
> > not
> >> > "professional" ;-) So we now have to keep our logs.
> >> >
> >> > W2K SP4, ExcSP3, ISA SP2, SQLSP3 are apllied.
> >> >
> >> > How can I use Netstat to see what's going on? I have on my external
> >> > adapter
> >> > only needed TCP ports listening. In netstat I see UDP ports on
0.0.0.0
> >> > listening. New ports are opened and closed all the time in the higher
> >> > regions. Mostly for proxy server accessing sites. Now and again ports
> > are
> >> > connected for longer periods. For example the Taiwan Academic Network
> > had
> >> > a
> >> > connection established on port 23243 external port 7654. As I can't
see
> > a
> >> > reason for that, I created a site and protocel rule for there IP
range.
> >> >
> >> > How can I monitor what is happening via a port? Can the new netstat
> >> > with -o
> >> > function be used on W2K? Can connections be disconnected?
> >> >
> >> > This is new to me and disturbing because i can't distinguish between
> >> > normal
> >> > and abnormal behaviour, nor can I judge the potential dangers. We
> >> > always
> >> > outsourced the security part. Now I feel I have to catch up quick.
Any
> >> > good
> >> > reading suggestions?
> >> >
> >> > TIA,
> >> >
> >> > Fred
> >> >
> >> >
> >> > "Marina Roos [SBS-MVP]" <marina@roos.nodontwantspam.nl.com> wrote in
> >> > message
> >> > news:%23grFnHhpEHA.3300@TK2MSFTNGP12.phx.gbl...
> >> >> Hi Fred,
> >> >>
> >> >> Logs for 1.5 years? Where do you keep them?
> >> >> Are you able to use regedit now or reg32?
> >> >>
> >> >> Please let us know what you find out. You did apply the hotfixes for
> > SQL
> >> >> after installing SQL right (Slammer)?
> >> >>
> >> >> --
> >> >> Regards,
> >> >>
> >> >> Marina
> >> >> Microsoft SBS-MVP
> >> >>
> >> >> "Fred Blum" <h.f.blum@marketconnectnospam.nl> schreef in bericht
> >> >> news:uHoaiyfpEHA.800@TK2MSFTNGP14.phx.gbl...
> >> >> >
> >> >> > I went over our logs for the last 1.5 year. Outside our office
hours
> >> >> > our
> >> >> > network activity is 0.0. I checked netstat -na and found that our
> >> > external
> >> >> > interface isn't listening at the ports mentioned by GRC.
> >> >> > I have a guess why these other ports show up at the GRC site and
> >> >> > have
> >> >> > to
> >> >> > check. Other then not being able to start Regedit, other symptoms
> > have
> >> > not
> >> >> > been observed over this period. It was detected due a performance
> >> > problem
> >> >> > after adding SQL to this box.
> >> >> >
> >> >> > As you said saved ISA probably saved the day after an exploitation
> >> >> > of
> > a
> >> >> W2K
> >> >> > (sasser) or IE vulnerability.
> >> >> >
> >> >> > TIA,
> >> >> >
> >> >> > Fred
> >> >> >
> >> >> > "SuperGumby [SBS MVP]" <not@your.nellie> wrote in message
> >> >> > news:O$Xb2$UpEHA.3196@tk2msftngp13.phx.gbl...
> >> >> > > Marina, FTP was the result not the cause (that's my read
anyway).
> >> >> > >
> >> >> > > Fred, many would suggest the box has been compromised beyond a
> >> > tolerable
> >> >> > > level, it's time to flatten it and start again. I'd sortta agree
> > with
> >> >> > them.
> >> >> > >
> >> >> > > I wonder if ISA actually saved the day. If you were infected by
> >> >> accidently
> >> >> > > visiting a site and the trojan was loaded via an IE
vulnerability
> > it
> >> >> _MAY_
> >> >> > > be that that is as far as the infection went. It will be
> > interesting
> >> > to
> >> >> > see
> >> >> > > what difference in your internet usage occurs before/during
> > infection
> >> >> and
> >> >> > > since cleaning.
> >> >> > >
> >> >> > > "Marina Roos [SBS-MVP]" <marina@roos.nodontwantspam.nl.com>
wrote
> > in
> >> >> > message
> >> >> > > news:%238gxIoUpEHA.516@TK2MSFTNGP09.phx.gbl...
> >> >> > > > Hi Fred,
> >> >> > > >
> >> >> > > > FTP FTP FTP.
> >> >> > > >
> >> >> > > > You did it to yourself by having FTP server on your SBS box
> > without
> >> >> the
> >> >> > > > least security. Did you have port 21 open on your server?
Which
> >> > other
> >> >> > > > ports?
> >> >> > > >
> >> >> > > > --
> >> >> > > > Regards,
> >> >> > > >
> >> >> > > > Marina
> >> >> > > > Microsoft SBS-MVP
> >> >> > > >
> >> >> > > > "Fred Blum" <h.f.blum@marketconnectnospam.nl> schreef in
bericht
> >> >> > > > news:uc4DbKUpEHA.1164@TK2MSFTNGP10.phx.gbl...
> >> >> > > >>
> >> >> > > >> We found two ServU-deamon trojans on our SBS server. This
type
> > of
> >> >> > trojan
> >> >> > > > is
> >> >> > > >> NOT standard detected by McAfee VirusScan 4.5 or V7.
> >> >> > > >>
> >> >> > > >> Go to http://vil.nai.com/vil/content/v_125021.htm for
> > information
> >> > on
> >> >> > how
> >> >> > > > to
> >> >> > > >> configure V7 to detect this type of program. With 4.5 run
the
> >> >> command
> >> >> > > > line
> >> >> > > >> scanner with the /PROGRAM switch.
> >> >> > > >> 1.. Click the START button
> >> >> > > >> 2.. Click RUN
> >> >> > > >> 3.. Type COMMAND and hit ENTER
> >> >> > > >> 4.. Type:
> >> >> > > >>
> >> >> > > >> c:\progra~1\common~1\networ~1\viruss~1\4.0.xx\scan.exe c:
> >> > /program
> >> >> > /sub
> >> >> > > >>
> >> >> > > >> and hit ENTER.
> >> >> > > >> The first one was picked up while not yet running as
> >> >> > > >> svchost.exe
> >> >> > > >> in
> >> >> the
> >> >> > > >> directory C:\winnt\system32\spool\nt\svchost.exe by our
> >> >> > > >> scanner.
> >> >> > Running
> >> >> > > >> a
> >> >> > > >> full scan we found regedit.exe in the system32 directory.
This
> >> >> instance
> >> >> > > > was
> >> >> > > >> started as a service in the registry. As a symptom regedit
> >> >> > > >> would
> >> > not
> >> >> > > > start.
> >> >> > > >> This problem occured about half a year ago. So since half a
> >> >> > > >> year
> >> >> > > >> we
> >> >> > have
> >> >> > > >> been running a FTP server on our server.
> >> >> > > >>
> >> >> > > >> The question is how we came infected? And what damage can the
> >> >> > > >> do
> >> >> > running
> >> >> > > >> a
> >> >> > > >> FTP server on our SBS box?
> >> >> > > >> The regedit.exe infection occured around the time the sasser
> > patch
> >> >> came
> >> >> > > >> available. According to the MS site our server was infected.
> >> >> > > >> Our
> >> >> virus
> >> >> > > > scan
> >> >> > > >> software didn't pick up this infection altough the DAT file
> >> > included
> >> >> > the
> >> >> > > >> description for sasser. So during the time of sasser and the
> > patch
> >> >> > coming
> >> >> > > >> available we could have been infected.
> >> >> > > >> How did svchost.exe infect our system? We are fully patched
and
> >> >> > > >> our
> >> >> > > >> virusscanner is uptodate. The FTP trojan could be the cause.
> >> >> > > >> But
> >> > what
> >> >> > > > would
> >> >> > > >> be the point in loading two FTP trojans? According to our
> >> >> > > >> System
> >> >> > > > Intregrator
> >> >> > > >> visting a webiste with IE on this server could be a cause
> > aswell.
> >> > IE
> >> >> is
> >> >> > > > only
> >> >> > > >> used as an exeption while vistiting the microsoft site to
look
> > up
> >> > the
> >> >> > > >> techdoc's. On that day I made a typo and ended up at the
> >> >> > > >> www.micorsoft.com
> >> >> > > >> website. IE is patched aswell to the latest level.
> >> >> > > >> ISA, SQL and Exchange are patched to the latest level. I'm
> >> >> > > >> worried
> >> >> > that
> >> >> > > > ISA
> >> >> > > >> is not doing a sufficient job. Is there a best pratice tool
for
> >> > ISA?
> >> >> Or
> >> >> > a
> >> >> > > >> document what ports need to be opened and for what reason?
How
> > can
> >> >> > > > specific
> >> >> > > >> ports be made Stealth?
> >> >> > > >>
> >> >> > > >> TIA,
> >> >> > > >>
> >> >> > > >> Regards,
> >> >> > > >>
> >> >> > > >> Fred
> >> >> > > >>
> >> >> > > >>
> >> >> > > >>
> >> >> > > >>
> >> >> > > >>
> >> >> > > >>
> >> >> > > >>
> >> >> > > >>
> >> >> > > >>
> >> >> > > >
> >> >> > > >
> >> >> > >
> >> >> > >
> >> >> >
> >> >> >
> >> >>
> >> >>
> >> >
> >> >
> >>
> >>
> >
> >
>
>
- Next message: Fred Blum: "SBS2K rebuild roadmap"
- Previous message: Simon: "Exchange 2003 deployment on to win 98 pc"
- Next in thread: Marina Roos [SBS-MVP]: "Re: ServU-deamon trojan warning with McAfee"
- Reply: Marina Roos [SBS-MVP]: "Re: ServU-deamon trojan warning with McAfee"
- Reply: SuperGumby [SBS MVP]: "Re: ServU-deamon trojan warning with McAfee"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
