Re: Unknown Network Attack

From: Jon Davis (jon_at_REMOVE.ME.jondavis.net)
Date: 10/15/04 

Date: Thu, 14 Oct 2004 17:55:42 -0700

Resetting TCP/IP seems to have done the trick. Thanks again.

Jon

"Steven Umbach" <n9rou@n0spam-comcast.net> wrote in message
news:#qsMAFOsEHA.2948@TK2MSFTNGP12.phx.gbl...
> It is very hard to tell exactly what happened. Of course scans for malware
and
> parasites [ use something like AdAware SE ] may find out the problem
and/or
> using tools like Autoruns, TCPView, and process Explorer from SysInternals
to
> view startup programs, port to process mapping, and detailed examination
of
> processes running on your server to look for compromise. Trend Micro has a
great
> free stand alone tool to scan for a remove many common malwares. FTP uses
tcp
> ports 20 and 21 and FTP can be either active or passive which may need
different
> firewall configurations for some firewalls. You may also have just
experienced
> winsock corruption from your description. Running the netdiag support tool
may
> confirm this as it does have a test for winsock. You may be able to fix
your
> problem by reinstalling tcp/ip and repairing winsock. --- Steve
>
> http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml -- SysInternals
> tools.
> http://www.trendmicro.com/download/dcs.asp -- SysClean
> http://support.microsoft.com/kb/317518 -- reset tcp/ip Windows 2003 - non
> domain controllers
> http://support.microsoft.com/kb/811259 -- repair winsock W2003 and XP
>
>
> "Jon Davis" <jon@REMOVE.ME.jondavis.net> wrote in message
> news:ukvpj8KsEHA.220@TK2MSFTNGP15.phx.gbl...
> > The other day, my Windows Server 2003 server, which was configured to
host
> > DNS, FTP, HTTP, and dial-up, but was NOT behind a firewall, was
attacked, in
> > a manner I do not understand, and I hope someone here could give me some
> > tips on restoration advice.
> >
> > Everything was working perfectly the other day, and actually I was
playing
> > Unreal Tournament 2004 on the server (hehe), when suddenly all Internet
> > traffic through the machine stopped. I couldn't access anything.
However,
> > other computers accessing the Internet through the same DSL router
worked
> > fine. I could Remote Desktop and access the web services on the server
from
> > my laptop using the server's Internet IP address, but DNS (which was one
of
> > the server's jobs) failed.
> >
> > I opened Network Connections and right-clicked the Ethernet adapter icon
and
> > chose "Repair". Repair failed, saying something about the arpa tables
being
> > corrupted or unable to be reset or something.
> >
> > I swapped network cards and the DNS and pings to the server simply
wouldn't
> > work.
> >
> > I restored the original network card and outsourced the DNS service to
> > another company. So now after a day wait, HTTP and e-mail are back up
and
> > running. I enabled the Windows Firewall and poked holes for HTTP, FTP,
and
> > E-mail.
> >
> > But now when I try to test FTP from my laptop, it's very strange.. I can
get
> > on the FTP service just fine using Internet Explorer's FTP service, but
when
> > using an FTP application that I wrote in C#, it times out while trying
to
> > transfer data. I tried opening up port 22 (aren't FTP xfers done on 22?
or
> > is it 20 and I was mistaken?) but that didn't help.
> >
> > Now that SOME things are working again (everything but ping and DNS and
FTP
> > using .NET sockets), I had to disable the Windows Firewall again to
restore
> > the dial-up routing for Routing and Remote Access. But RRAS refused to
start
> > because IC (Internet Connections) was enabled. No it wasn't ... I
enabled
> > and then deleted IC, and then set up RRAS to work. The modem picks up
again
> > as it should, but now it doesn't route anything. I can access the server
> > using Remote Desktop over the modem from home, but I can't get onto the
> > Internet. I've enabled Routing in the RRAS configuration. This was
working
> > before, why is it not working now?
> >
> > Does anyone know what kind of attack the original symptoms appear to be
> > from? By the way, please spare me the advice about the immorality of
being
> > without a firewall. Obviously I made a mistake being so slutty. That's
not
> > what I'm asking about. I just want to know what kind of attack this was,
and
> > how I can restore things.
> >
> > Thanks,
> > Jon
> >
> >
>
>