Re: Server Hacked Serv-U hidden files
From: Dub (dub_at_exchange.com)
Date: 03/09/04
- Next message: Jamie Childs: "Server Response Time very very slow"
- Previous message: Josh: "Need help using backup"
- In reply to: Bloke at the pennine puddle (Replace n.a.v.d with vodafone.net.): "Re: Server Hacked Serv-U hidden files"
- Next in thread: Sharad Naik: "Re: Server Hacked Serv-U hidden files"
- Reply: Sharad Naik: "Re: Server Hacked Serv-U hidden files"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 9 Mar 2004 11:12:00 +1100
Thanks for the feedback.
for the interest of others. The server sits in a co-location datacentre.
Unfortunately the server runs with only limited firewall (hardware) directly
to the internet.
It runs MS ftp services directly to the internet, and I notice loads of
attempted hacks to that service.
I really am not sure how they got in. I had the impression that a fully
patched server would offer some protections. 1 Thing here was that the
server had a default install of Windows 2000 followed by an upgrade to 2003.
(this is mostly due to the fact that I do not have physical access to the
system).
I did subsequently go in an close many security services like SMTP relay
etc. But must have missed something.
I do know that some script kiddies are responsible for the hack. 2 Server in
the same centre were hacked on the same day. Only the one with big hard disk
was used to FTP WAREZ.
The hacks both followed similar processes.
However they got in, they were able to create 2 instances of remote admin
programs. (Full access).
In both cases they created a new administrator account on the servers.
They ran some scripts in a directory c:\winnt\system32\setup\..temp
(hidden directory)
These tools reported to a text file many things like hard disk space etc.
They then setup the serv-u daemon (and I still have not found the service
that starts this application!) Very well hidden and auto restarts when
stopped.
They initially uploaded to the directory above but when I started removing
the files, they subsequently have hidden them much better. I still cannot
find the files. I have looked as best I know how with ADS command tools.
But... they are better than me.
I did manage to work out who they were. German Warez hack group. and have
contacted them directly via ICQ. While they denied knowledge etc, the
uploading has stopped since then. Wish I could have 5 minutes tune up time
in a cell with them!
So I suspect I will do a few things.
1. Hardware Fire Wall.
2. Reinstall (what a pain!)
3. Work out how to detect and remove their files for future hacks.
There are still a number of unanswered questions.
1. How did they get in.
2. How the hell do I find there files. I have spent days on this and Nup
cannot find them (see original post)
3.What hardware slim line rack mount remote controllable firewall is best
bang for buck!
"Bloke at the pennine puddle (Replace n.a.v.d with vodafone.net.)"
<news006ddes@n.a.v.d> wrote in message
news:49cn40dgr2jnj9m5pbt38riublrf2ifdsk@4ax.com...
> Consider this if you don't want to wipe the lot. I'll give you
> pointers as there is way to much to explain here.
>
> First and most important. Take the computer off the Internet and get
> a firewall. A hardware firewall. Maybe a router but don't have any
> inbound ports opened.
>
> Take a note of all the sevices running and disable as many as you can
> that will allow the server to re-start and check the registry to make
> sure that unnecessary progams are not automatically starting a log-on
> or as a user service.
>
> Perform an in-place upgrade. Why? If the hacker has altered any
> system files to make sure his/her code starts, it'll be replaced with
> an original from the CD.
>
> If you did the above right then what you should have is a clean
> booting operating system that is still configured with a minimal
> amount of critical services operating.
>
> Something also to look out for is if the hacker has installed any
> unwanted extra VxD's and the like. You may need to hack out any
> suspect VxD's out of the registry before the in-place upgrade. IF you
> have any specialist hardware in the machine, unplug it all. Consider
> re-installing third-party device drivers before re-plugging the
> related hardware, just in-case malicious code is tacked onto device
> drivers.
>
> Should you manage to do all that, perform the in-place upgrade,
> reconnect the server to the Interet through a very restrictive
> firewall appliance and run throughb Windows Upgrade then you should
> have a clean booting operating system, but the hacker's files will
> still be there and will need to be found and removed.
>
> Another thing to check (out of many) within IIS on Windows 2003 and
> that's the ISAPI filters to make sure there is nothing untowards as
> well as within Internet Explorer's Object's folder, etc....
>
> ... or the simplest is to follow Jupiter Jones's suggestion.
>
> To recover a server from a hack is no simple task. I should know.
> I've done it three times now and have sucessfully beaten the hacker,
> and nicked the hacker's tools boot.
>
> I'm curious. How did the hacker compromise your system? Would this
> be through a fault with the U-serv daemon?
>
> Our system where I work operates a Microsft FTP server, but the
> firewall acts as a proxy. The Interent user never talks directly to
> the actual FTP server. Actually, the user/machine connecting to the
> FTP service does not even have a clue what type of FTP service is
> being used.
>
> Really, you should not have any such services open directly to the
> public. Have a secure proxy talk to the real server on the user's
> behalf. If it's a deducated firewall appliance then al the better.
>
> "Dub" <dub@exchange.com> wrote:
> >I have a server that has been hacked with a serv-u daemon.
> >
> >This is not the standard hack, which is usually easy to find and remove.
> >
> >The server is a windows 2003 server and the hack gained admin control for
a
> >time over the server.
> >
> >My biggest problem at the moment is locating the hidden files uploaded.
> >Initially there were files located in a hidden directory:
> >c:\winnt\system32\setup\..temp\remote
> >
> >Using LanFind I was able to search for hidden files and remove them.
However
> >the hack was then reinstated and much better hidden.
> >
> >If I did a defrag, I see all sorts of files being organised that I cannot
> >find with LANfind. Or any other search tool used so far.
> >
> >I have done some research on ADS, and suspect that the files are in an
ASD.
> >Only problem is that the command line tools I have used thus far do not
make
> >it easy to locate the exact offending file.
> >
> >Does anyone know if any good tools to discover these hidden files?
> >
>
- Next message: Jamie Childs: "Server Response Time very very slow"
- Previous message: Josh: "Need help using backup"
- In reply to: Bloke at the pennine puddle (Replace n.a.v.d with vodafone.net.): "Re: Server Hacked Serv-U hidden files"
- Next in thread: Sharad Naik: "Re: Server Hacked Serv-U hidden files"
- Reply: Sharad Naik: "Re: Server Hacked Serv-U hidden files"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
