Re: ServU-deamon trojan warning with McAfee

From: Marina Roos [SBS-MVP] (marina_at_roos.nodontwantspam.nl.com)
Date: 10/01/04 

Date: Fri, 1 Oct 2004 12:05:36 +0200

Hi Fred,

So sorry to hear about that. Unfortunately there is no way of telling what
has been compromised and what not. They might know everything and have build
backdoors. Don't spend your valuable time trying to figure it out.
Start from scratch, use 2 nics and install ISA. Use a router and only
forward ports to your external nic that are needed for email, OWA, VPN and
TS. Make sure the box and the clients are fully patched and keep up with the
security bulletins. Check www.smallbizserver.net for tips and tricks and
servicepacks and so on. 

-- 
Regards,
Marina
Microsoft SBS-MVP
"Fred Blum" <h.f.blum@nounsollicitedemail.nemad.nl> schreef in bericht
news:%23$rrSQ5pEHA.1960@TK2MSFTNGP10.phx.gbl...
>
> You're absolutely right, and I bow to that. I've found my box to be owned,
a
> webserver hidden in a recycler folder. I'm the eMule.
>
> But this eMule needs to know how and what they did, in order to prevent
> making the same mistake twice. Furthermore how far extends the damage?
Does
> it effect our local LAN, Active Directory, do they know our passwords and
> logon id's? Should our file server a BDC be rebuild aswell?
>
> We followed in the past the ICW to connect to the internet via a dial-up
> connection. We only clicked what we needed being SMTP. Wenn we went to a
> ADSL connection we called in the pro's to make ISA safe. The configured
> policies, routes and packet filters. According to them ISA was safe.
>
> I'm not sure about how, but now know what to look for. I can recommend
> everybody the webmonitor by AAtools. It will give you windows based
> interface to all your connections with ports, protocol, pids, processes
and
> directories. Thats's how I found there webserver. Stinger, McAfee 4.5 and
> V7, Spysweeper and IFS internet scan did not find it in the past! This
> program has a port scanner, proxy analyser, whois, trace route, etc.
>
> I will take this opportunity to add a raid controllor to our server and do
a
> rebuild. I will start a new thread on a road map for that.
>
> Thanks,
>
> Fred
>
>
>
> "SuperGumby [SBS MVP]" <not@your.nellie> wrote in message
> news:OFGJxMjpEHA.3424@TK2MSFTNGP11.phx.gbl...
> > NO, the problem goes further than that.
> >
> > 'Nothing other then finding a FTP trojan on my system has occured.' can
be
> > elsewise read as 'someone installed a program on my system without my
> > knowledge'. My question is whether something you have not yet detected
is
> on
> > the system.
> >
> > Your ISA, according to the port report you posted, is letting through a
> lot
> > of unexpected things. If neither your system integrator nor you can
> explain
> > why then a third party is responsible.
> >
> > I'm not 'chicken little'. I ignore a lot of posts in this group where
> > someone asks 'what is this traffic'. I've even suggested Susan sometimes
> > behaves in an 'alarmist' manner. I'm also surprised Susan isn't on a
plane
> > with her 2*4 heading your way. (and from all accounts this would
compound
> > your problems :)
> >
> > I WILL scream 'hell and high water', because in my belief either you,
your
> > integrator, or a third party is responsible for this.
> >
> > "Fred Blum" <h.f.blum@marketconnectnospam.nl> wrote in message
> > news:eGynR$ipEHA.4008@TK2MSFTNGP14.phx.gbl...
> > >
> > > Befor having a panic attack and screaming hell and fire, I want to
know
> > > where I stand. Working with Microsoft has never been safe. It's a
matter
> > > of
> > > functionality over security and stability. Nothing other then finding
a
> > > FTP
> > > trojan on my system has occured. FTP protocol has always been blocked.
> So
> > > this program could have never been used. My logs and my ISP's logs
don't
> > > suggest our server has been misused, because there isn't any traffic
to
> > > show
> > > for.
> > >
> > > This ports showing can also be caused by an issue having to do with
our
> > > ISP's provided and managed router. Therefor I need to know what i see
in
> > > Netstat.
> > >
> > > Fred
> > >
> > > "SuperGumby [SBS MVP]" <not@your.nellie> wrote in message
> > > news:OlKnOripEHA.2032@TK2MSFTNGP10.phx.gbl...
> > >> and it's quite easy to set a scheduled task to copy the ISA logs,
which
> > >> normally get deleted after *so many* days, to a location where you
can
> > >> retain them.
> > >>
> > >> Fred, we could discuss how to analyse this and how to do that to our
> > > heart's
> > >> content, but is it worthwhile?
> > >>
> > >> We're now discussing 'forensic research', finding out what happened
and
> > > why.
> > >> If this is important to you you should probably look for a newsgroup
> > > called
> > >> my.god.I've.been.hacked.and.wanna.know.how.
> > >>
> > >> I appreciate that there is a reasonable desire to find out how and
why
> > >> and
> > > I
> > >> recognise that others having experienced a similar problem would be
> > >> interested, but IMHO this is a task which takes 'hands on' and many
> > >> hours,
> > > I
> > >> don't think I'm able to analyse it remotely.
> > >>
> > >> IMHO, again, you _may_ (because something I realised while thinking
> about
> > >> things is that you may have legitimate cause to open ALL those ports,
> > > except
> > >> maybe the internet blackjack :) have a compromised system, based on
> data
> > >> I
> > >> have available. This PLAIN and SIMPLE shouldn't happen in an ISA
> > > controlled
> > >> IP space.
> > >>
> > >> A NETSTAT can reveal some information, but it shouldn't be considered
> > >> conclusive. What happens if my system has been compromised by a
trojan
> > > which
> > >> replaces the Exch SMTP server with its own version. My system is
> > >> listening
> > >> on IP.TCP:25 and I expect it to. Does it matter that something else
is
> > >> listening on that port and passes 'normal' traffic to my SMTP but
also
> > >> interprets anything sent with a start sequence of ***,&&&,))) as a
> > >> command
> > >> which should be handled by the trojan rather than passed to the
> > > intercepted
> > >> SMTP engine?
> > >>
> > >> A clean config SBS, particularly if ISA is involved, performed
> properly,
> > >> should not suffer the symptoms you have.
> > >>
> > >> "Fred Blum" <h.f.blum@marketconnectnospam.nl> wrote in message
> > >> news:usfOOOipEHA.3668@TK2MSFTNGP15.phx.gbl...
> > >> >
> > >> > In the past we had a problem with an employee accessing sites that
> are
> > > not
> > >> > "professional" ;-) So we now have to keep our logs.
> > >> >
> > >> > W2K SP4, ExcSP3, ISA SP2, SQLSP3 are apllied.
> > >> >
> > >> > How can I use Netstat to see what's going on? I have on my external
> > >> > adapter
> > >> > only needed TCP ports listening. In netstat I see UDP ports on
> 0.0.0.0
> > >> > listening. New ports are opened and closed all the time in the
higher
> > >> > regions. Mostly for proxy server accessing sites. Now and again
ports
> > > are
> > >> > connected for longer periods. For example the Taiwan Academic
Network
> > > had
> > >> > a
> > >> > connection established on port 23243 external port 7654. As I can't
> see
> > > a
> > >> > reason for that, I created a site and protocel rule for there IP
> range.
> > >> >
> > >> > How can I monitor what is happening via a port? Can the new netstat
> > >> > with -o
> > >> > function be used on W2K?  Can connections be disconnected?
> > >> >
> > >> > This is new to me and disturbing because i can't distinguish
between
> > >> > normal
> > >> > and abnormal behaviour, nor can I judge the potential dangers. We
> > >> > always
> > >> > outsourced the security part. Now I feel I have to catch up quick.
> Any
> > >> > good
> > >> > reading suggestions?
> > >> >
> > >> > TIA,
> > >> >
> > >> > Fred
> > >> >
> > >> >
> > >> > "Marina Roos [SBS-MVP]" <marina@roos.nodontwantspam.nl.com> wrote
in
> > >> > message
> > >> > news:%23grFnHhpEHA.3300@TK2MSFTNGP12.phx.gbl...
> > >> >> Hi Fred,
> > >> >>
> > >> >> Logs for 1.5 years? Where do you keep them?
> > >> >> Are you able to use regedit now or reg32?
> > >> >>
> > >> >> Please let us know what you find out. You did apply the hotfixes
for
> > > SQL
> > >> >> after installing SQL right (Slammer)?
> > >> >>
> > >> >> -- 
> > >> >> Regards,
> > >> >>
> > >> >> Marina
> > >> >> Microsoft SBS-MVP
> > >> >>
> > >> >> "Fred Blum" <h.f.blum@marketconnectnospam.nl> schreef in bericht
> > >> >> news:uHoaiyfpEHA.800@TK2MSFTNGP14.phx.gbl...
> > >> >> >
> > >> >> > I went over our logs for the last 1.5 year. Outside our office
> hours
> > >> >> > our
> > >> >> > network activity is 0.0. I checked netstat -na and found that
our
> > >> > external
> > >> >> > interface isn't listening at the ports mentioned by GRC.
> > >> >> > I have a guess why these other ports show up at the GRC site and
> > >> >> > have
> > >> >> > to
> > >> >> > check. Other then not being able to start Regedit, other
symptoms
> > > have
> > >> > not
> > >> >> > been observed over this period. It was detected due a
performance
> > >> > problem
> > >> >> > after adding SQL to this box.
> > >> >> >
> > >> >> > As you said saved ISA probably saved the day after an
exploitation
> > >> >> > of
> > > a
> > >> >> W2K
> > >> >> > (sasser) or IE vulnerability.
> > >> >> >
> > >> >> > TIA,
> > >> >> >
> > >> >> > Fred
> > >> >> >
> > >> >> > "SuperGumby [SBS MVP]" <not@your.nellie> wrote in message
> > >> >> > news:O$Xb2$UpEHA.3196@tk2msftngp13.phx.gbl...
> > >> >> > > Marina, FTP was the result not the cause (that's my read
> anyway).
> > >> >> > >
> > >> >> > > Fred, many would suggest the box has been compromised beyond a
> > >> > tolerable
> > >> >> > > level, it's time to flatten it and start again. I'd sortta
agree
> > > with
> > >> >> > them.
> > >> >> > >
> > >> >> > > I wonder if ISA actually saved the day. If you were infected
by
> > >> >> accidently
> > >> >> > > visiting a site and the trojan was loaded via an IE
> vulnerability
> > > it
> > >> >> _MAY_
> > >> >> > > be that that is as far as the infection went. It will be
> > > interesting
> > >> > to
> > >> >> > see
> > >> >> > > what difference in your internet usage occurs before/during
> > > infection
> > >> >> and
> > >> >> > > since cleaning.
> > >> >> > >
> > >> >> > > "Marina Roos [SBS-MVP]" <marina@roos.nodontwantspam.nl.com>
> wrote
> > > in
> > >> >> > message
> > >> >> > > news:%238gxIoUpEHA.516@TK2MSFTNGP09.phx.gbl...
> > >> >> > > > Hi Fred,
> > >> >> > > >
> > >> >> > > > FTP FTP FTP.
> > >> >> > > >
> > >> >> > > > You did it to yourself by having FTP server on your SBS box
> > > without
> > >> >> the
> > >> >> > > > least security.  Did you have port 21 open on your server?
> Which
> > >> > other
> > >> >> > > > ports?
> > >> >> > > >
> > >> >> > > > -- 
> > >> >> > > > Regards,
> > >> >> > > >
> > >> >> > > > Marina
> > >> >> > > > Microsoft SBS-MVP
> > >> >> > > >
> > >> >> > > > "Fred Blum" <h.f.blum@marketconnectnospam.nl> schreef in
> bericht
> > >> >> > > > news:uc4DbKUpEHA.1164@TK2MSFTNGP10.phx.gbl...
> > >> >> > > >>
> > >> >> > > >> We found two ServU-deamon trojans on our SBS server. This
> type
> > > of
> > >> >> > trojan
> > >> >> > > > is
> > >> >> > > >> NOT standard detected by McAfee VirusScan 4.5 or V7.
> > >> >> > > >>
> > >> >> > > >> Go to http://vil.nai.com/vil/content/v_125021.htm for
> > > information
> > >> > on
> > >> >> > how
> > >> >> > > > to
> > >> >> > > >> configure V7 to detect this type of program. With 4.5  run
> the
> > >> >> command
> > >> >> > > > line
> > >> >> > > >> scanner with the /PROGRAM switch.
> > >> >> > > >>   1.. Click the START button
> > >> >> > > >>   2.. Click RUN
> > >> >> > > >>   3.. Type COMMAND and hit ENTER
> > >> >> > > >>   4.. Type:
> > >> >> > > >>
> > >> >> > > >>   c:\progra~1\common~1\networ~1\viruss~1\4.0.xx\scan.exe c:
> > >> > /program
> > >> >> > /sub
> > >> >> > > >>
> > >> >> > > >>   and hit ENTER.
> > >> >> > > >> The first one was picked up while not yet running as
> > >> >> > > >> svchost.exe
> > >> >> > > >> in
> > >> >> the
> > >> >> > > >> directory C:\winnt\system32\spool\nt\svchost.exe by our
> > >> >> > > >> scanner.
> > >> >> > Running
> > >> >> > > >> a
> > >> >> > > >> full scan we found regedit.exe in the system32 directory.
> This
> > >> >> instance
> > >> >> > > > was
> > >> >> > > >> started as a service in the registry. As a symptom regedit
> > >> >> > > >> would
> > >> > not
> > >> >> > > > start.
> > >> >> > > >> This problem occured about half a year ago. So since half a
> > >> >> > > >> year
> > >> >> > > >> we
> > >> >> > have
> > >> >> > > >> been running a FTP server on our server.
> > >> >> > > >>
> > >> >> > > >> The question is how we came infected? And what damage can
the
> > >> >> > > >> do
> > >> >> > running
> > >> >> > > >> a
> > >> >> > > >> FTP server on our SBS box?
> > >> >> > > >> The regedit.exe infection occured around the time the
sasser
> > > patch
> > >> >> came
> > >> >> > > >> available. According to the MS site our server was
infected.
> > >> >> > > >> Our
> > >> >> virus
> > >> >> > > > scan
> > >> >> > > >> software didn't pick up this infection altough the DAT file
> > >> > included
> > >> >> > the
> > >> >> > > >> description for sasser. So during the time of sasser and
the
> > > patch
> > >> >> > coming
> > >> >> > > >> available we could have been infected.
> > >> >> > > >> How did svchost.exe infect our system? We are fully patched
> and
> > >> >> > > >> our
> > >> >> > > >> virusscanner is uptodate. The FTP trojan could be the
cause.
> > >> >> > > >> But
> > >> > what
> > >> >> > > > would
> > >> >> > > >> be the point in loading two FTP trojans? According to our
> > >> >> > > >> System
> > >> >> > > > Intregrator
> > >> >> > > >> visting a webiste with IE on this server could be a cause
> > > aswell.
> > >> > IE
> > >> >> is
> > >> >> > > > only
> > >> >> > > >> used as an exeption while vistiting the microsoft site to
> look
> > > up
> > >> > the
> > >> >> > > >> techdoc's. On that day I made a typo and ended up at the
> > >> >> > > >> www.micorsoft.com
> > >> >> > > >> website. IE is patched aswell to the latest level.
> > >> >> > > >>  ISA, SQL and Exchange are patched to the latest level. I'm
> > >> >> > > >> worried
> > >> >> > that
> > >> >> > > > ISA
> > >> >> > > >> is not doing a sufficient job. Is there a best pratice tool
> for
> > >> > ISA?
> > >> >> Or
> > >> >> > a
> > >> >> > > >> document what ports need to be opened and for what reason?
> How
> > > can
> > >> >> > > > specific
> > >> >> > > >> ports be made Stealth?
> > >> >> > > >>
> > >> >> > > >> TIA,
> > >> >> > > >>
> > >> >> > > >> Regards,
> > >> >> > > >>
> > >> >> > > >> Fred
> > >> >> > > >>
> > >> >> > > >>
> > >> >> > > >>
> > >> >> > > >>
> > >> >> > > >>
> > >> >> > > >>
> > >> >> > > >>
> > >> >> > > >>
> > >> >> > > >>
> > >> >> > > >
> > >> >> > > >
> > >> >> > >
> > >> >> > >
> > >> >> >
> > >> >> >
> > >> >>
> > >> >>
> > >> >
> > >> >
> > >>
> > >>
> > >
> > >
> >
> >
>
>
Loading