Re: Unknown Network Attack

From: Steven Umbach (n9rou_at_n0spam-comcast.net)
Date: 10/13/04 

Date: Wed, 13 Oct 2004 00:00:03 -0500

It is very hard to tell exactly what happened. Of course scans for malware and
parasites [ use something like AdAware SE ] may find out the problem and/or
using tools like Autoruns, TCPView, and process Explorer from SysInternals to
view startup programs, port to process mapping, and detailed examination of
processes running on your server to look for compromise. Trend Micro has a great
free stand alone tool to scan for a remove many common malwares. FTP uses tcp
ports 20 and 21 and FTP can be either active or passive which may need different
firewall configurations for some firewalls. You may also have just experienced
winsock corruption from your description. Running the netdiag support tool may
confirm this as it does have a test for winsock. You may be able to fix your
problem by reinstalling tcp/ip and repairing winsock. --- Steve

http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml -- SysInternals
tools.
http://www.trendmicro.com/download/dcs.asp -- SysClean
http://support.microsoft.com/kb/317518 -- reset tcp/ip Windows 2003 - non
domain controllers
http://support.microsoft.com/kb/811259 -- repair winsock W2003 and XP

"Jon Davis" <jon@REMOVE.ME.jondavis.net> wrote in message
news:ukvpj8KsEHA.220@TK2MSFTNGP15.phx.gbl...
> The other day, my Windows Server 2003 server, which was configured to host
> DNS, FTP, HTTP, and dial-up, but was NOT behind a firewall, was attacked, in
> a manner I do not understand, and I hope someone here could give me some
> tips on restoration advice.
>
> Everything was working perfectly the other day, and actually I was playing
> Unreal Tournament 2004 on the server (hehe), when suddenly all Internet
> traffic through the machine stopped. I couldn't access anything. However,
> other computers accessing the Internet through the same DSL router worked
> fine. I could Remote Desktop and access the web services on the server from
> my laptop using the server's Internet IP address, but DNS (which was one of
> the server's jobs) failed.
>
> I opened Network Connections and right-clicked the Ethernet adapter icon and
> chose "Repair". Repair failed, saying something about the arpa tables being
> corrupted or unable to be reset or something.
>
> I swapped network cards and the DNS and pings to the server simply wouldn't
> work.
>
> I restored the original network card and outsourced the DNS service to
> another company. So now after a day wait, HTTP and e-mail are back up and
> running. I enabled the Windows Firewall and poked holes for HTTP, FTP, and
> E-mail.
>
> But now when I try to test FTP from my laptop, it's very strange.. I can get
> on the FTP service just fine using Internet Explorer's FTP service, but when
> using an FTP application that I wrote in C#, it times out while trying to
> transfer data. I tried opening up port 22 (aren't FTP xfers done on 22? or
> is it 20 and I was mistaken?) but that didn't help.
>
> Now that SOME things are working again (everything but ping and DNS and FTP
> using .NET sockets), I had to disable the Windows Firewall again to restore
> the dial-up routing for Routing and Remote Access. But RRAS refused to start
> because IC (Internet Connections) was enabled. No it wasn't ... I enabled
> and then deleted IC, and then set up RRAS to work. The modem picks up again
> as it should, but now it doesn't route anything. I can access the server
> using Remote Desktop over the modem from home, but I can't get onto the
> Internet. I've enabled Routing in the RRAS configuration. This was working
> before, why is it not working now?
>
> Does anyone know what kind of attack the original symptoms appear to be
> from? By the way, please spare me the advice about the immorality of being
> without a firewall. Obviously I made a mistake being so slutty. That's not
> what I'm asking about. I just want to know what kind of attack this was, and
> how I can restore things.
>
> Thanks,
> Jon
>
>