Unknown Network Attack

From: Jon Davis (jon_at_REMOVE.ME.jondavis.net)
Date: 10/12/04 

Date: Tue, 12 Oct 2004 15:56:40 -0700

The other day, my Windows Server 2003 server, which was configured to host
DNS, FTP, HTTP, and dial-up, but was NOT behind a firewall, was attacked, in
a manner I do not understand, and I hope someone here could give me some
tips on restoration advice.

Everything was working perfectly the other day, and actually I was playing
Unreal Tournament 2004 on the server (hehe), when suddenly all Internet
traffic through the machine stopped. I couldn't access anything. However,
other computers accessing the Internet through the same DSL router worked
fine. I could Remote Desktop and access the web services on the server from
my laptop using the server's Internet IP address, but DNS (which was one of
the server's jobs) failed.

I opened Network Connections and right-clicked the Ethernet adapter icon and
chose "Repair". Repair failed, saying something about the arpa tables being
corrupted or unable to be reset or something.

I swapped network cards and the DNS and pings to the server simply wouldn't
work.

I restored the original network card and outsourced the DNS service to
another company. So now after a day wait, HTTP and e-mail are back up and
running. I enabled the Windows Firewall and poked holes for HTTP, FTP, and
E-mail.

But now when I try to test FTP from my laptop, it's very strange.. I can get
on the FTP service just fine using Internet Explorer's FTP service, but when
using an FTP application that I wrote in C#, it times out while trying to
transfer data. I tried opening up port 22 (aren't FTP xfers done on 22? or
is it 20 and I was mistaken?) but that didn't help.

Now that SOME things are working again (everything but ping and DNS and FTP
using .NET sockets), I had to disable the Windows Firewall again to restore
the dial-up routing for Routing and Remote Access. But RRAS refused to start
because IC (Internet Connections) was enabled. No it wasn't ... I enabled
and then deleted IC, and then set up RRAS to work. The modem picks up again
as it should, but now it doesn't route anything. I can access the server
using Remote Desktop over the modem from home, but I can't get onto the
Internet. I've enabled Routing in the RRAS configuration. This was working
before, why is it not working now?

Does anyone know what kind of attack the original symptoms appear to be
from? By the way, please spare me the advice about the immorality of being
without a firewall. Obviously I made a mistake being so slutty. That's not
what I'm asking about. I just want to know what kind of attack this was, and
how I can restore things.

Thanks,
Jon