Re: Unknown Network Attack

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 10/15/04 

Date: Thu, 14 Oct 2004 21:38:06 -0500

What is happening with rras?? Make sure the built in ICF firewall is
disabled on a server using rras. Check your tcp/ip configuration to make
sure that it is correct as resetting tcp/ip may have changed it from stoic
IP to DHCP or changed the entries in tcp/ip such as IP address, dns server,
and default gateway. Also check Event Viewer for any error messages that may
help. --- Steve

"Jon Davis" <jon@REMOVE.ME.jondavis.net> wrote in message
news:ekBv%23VlsEHA.1276@TK2MSFTNGP12.phx.gbl...
> Hm. Some things are working. But not routing and remote access (RRAS).
>
> Jon
>
> "Steven Umbach" <n9rou@n0spam-comcast.net> wrote in message
> news:#qsMAFOsEHA.2948@TK2MSFTNGP12.phx.gbl...
>> It is very hard to tell exactly what happened. Of course scans for
>> malware
> and
>> parasites [ use something like AdAware SE ] may find out the problem
> and/or
>> using tools like Autoruns, TCPView, and process Explorer from
>> SysInternals
> to
>> view startup programs, port to process mapping, and detailed examination
> of
>> processes running on your server to look for compromise. Trend Micro has
>> a
> great
>> free stand alone tool to scan for a remove many common malwares. FTP uses
> tcp
>> ports 20 and 21 and FTP can be either active or passive which may need
> different
>> firewall configurations for some firewalls. You may also have just
> experienced
>> winsock corruption from your description. Running the netdiag support
>> tool
> may
>> confirm this as it does have a test for winsock. You may be able to fix
> your
>> problem by reinstalling tcp/ip and repairing winsock. --- Steve
>>
>> http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml --
>> SysInternals
>> tools.
>> http://www.trendmicro.com/download/dcs.asp -- SysClean
>> http://support.microsoft.com/kb/317518 -- reset tcp/ip Windows 2003 -
>> non
>> domain controllers
>> http://support.microsoft.com/kb/811259 -- repair winsock W2003 and XP
>>
>>
>> "Jon Davis" <jon@REMOVE.ME.jondavis.net> wrote in message
>> news:ukvpj8KsEHA.220@TK2MSFTNGP15.phx.gbl...
>> > The other day, my Windows Server 2003 server, which was configured to
> host
>> > DNS, FTP, HTTP, and dial-up, but was NOT behind a firewall, was
> attacked, in
>> > a manner I do not understand, and I hope someone here could give me
>> > some
>> > tips on restoration advice.
>> >
>> > Everything was working perfectly the other day, and actually I was
> playing
>> > Unreal Tournament 2004 on the server (hehe), when suddenly all Internet
>> > traffic through the machine stopped. I couldn't access anything.
> However,
>> > other computers accessing the Internet through the same DSL router
> worked
>> > fine. I could Remote Desktop and access the web services on the server
> from
>> > my laptop using the server's Internet IP address, but DNS (which was
>> > one
> of
>> > the server's jobs) failed.
>> >
>> > I opened Network Connections and right-clicked the Ethernet adapter
>> > icon
> and
>> > chose "Repair". Repair failed, saying something about the arpa tables
> being
>> > corrupted or unable to be reset or something.
>> >
>> > I swapped network cards and the DNS and pings to the server simply
> wouldn't
>> > work.
>> >
>> > I restored the original network card and outsourced the DNS service to
>> > another company. So now after a day wait, HTTP and e-mail are back up
> and
>> > running. I enabled the Windows Firewall and poked holes for HTTP, FTP,
> and
>> > E-mail.
>> >
>> > But now when I try to test FTP from my laptop, it's very strange.. I
>> > can
> get
>> > on the FTP service just fine using Internet Explorer's FTP service, but
> when
>> > using an FTP application that I wrote in C#, it times out while trying
> to
>> > transfer data. I tried opening up port 22 (aren't FTP xfers done on 22?
> or
>> > is it 20 and I was mistaken?) but that didn't help.
>> >
>> > Now that SOME things are working again (everything but ping and DNS and
> FTP
>> > using .NET sockets), I had to disable the Windows Firewall again to
> restore
>> > the dial-up routing for Routing and Remote Access. But RRAS refused to
> start
>> > because IC (Internet Connections) was enabled. No it wasn't ... I
> enabled
>> > and then deleted IC, and then set up RRAS to work. The modem picks up
> again
>> > as it should, but now it doesn't route anything. I can access the
>> > server
>> > using Remote Desktop over the modem from home, but I can't get onto the
>> > Internet. I've enabled Routing in the RRAS configuration. This was
> working
>> > before, why is it not working now?
>> >
>> > Does anyone know what kind of attack the original symptoms appear to be
>> > from? By the way, please spare me the advice about the immorality of
>> > bei
> ng
>> > without a firewall. Obviously I made a mistake being so slutty. That's
> not
>> > what I'm asking about. I just want to know what kind of attack this
>> > was,
> and
>> > how I can restore things.
>> >
>> > Thanks,
>> > Jon
>> >
>> >
>>
>>
>
>