Re: Compromised Server? Anyone recognize the suspect Services?

Update...
I finally discovered that there was a whole folder structure under
windows\system32\drivers. Inside one of the folders was a program called
SYNattacker.exe by a Chinese company;

Nygen Hoang Informatics

There was also an XML file with target= <a certain website>

I have located the owner of the website using Whois from Network Solutions

"John Kotuby" <JohnKotuby@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:%23CNzLJ7UIHA.4696@xxxxxxxxxxxxxxxxxxxxxxx
Newell...

Note below that the created date on the netman24.exe file is Jan 6 2008
1:44PM.

Event viewer shows normal logins, but I did not have it set to record
failed logins. I have changed that.
However, there are a bunch of logins for Website Accounts created by the
Plesk control panel. The login accounts are for web sites that are on the
machine but I did not think were being used since over a year ago. I did
give a consultant FTP login info for those sites. Howeveer, hwo could and
FTP login explain the programs that were definitely installed, and not by
me. Forunately the packet sniffer programs showed up at the bottom of the
Start/Programs listing.
That is why I am assuming desktop access.

There are also a number of account logins by the Plesk Administrator
account. I have not used the Plesk Control panel in a few months at least.

I think I will just get rid of all extraneous accounts. Server management
is certainly not my forte.

I did a search on one of my Windows servers in the office here that has
been patched on January 9 and find no netman*.exe either. However, in
order to find those files on the Web Server I had to make sure that System
folders were being searched.

The file on the compromised server is found in C:\Windows\system32\drivers
of all places. This is another indication of a rogue file. I got a message
from a friend that said any file named netman*.exe is suspicious.

There was also another file located there "netman24.def" with the
contents:
<?xml version="1.0" encoding="UTF-8"?>
<luxibe name="Netman24" displayName="Network Connections 24"
description="Manages objects in the Network and Dial-Up Connections
folder, in which you can view both local area network and remote
connections." binary="netman24.exe" startup="Automatic"
desktopInteract="no" dependenOn="" antecedentOn=""/>

Which is basically the same info that showed up in the Services area.

Right-clicking properties on netman24.exe shows:
Created - Sunday Jan 6 2008 1:44 PM (must have been Pacific time as the
server is on the west coast of US)
Company - Microsoft Corporation
Version - 5.01.0026

However, as i mentioned a search for netman24.exe on Microsoft brought up
nothing.
Anyone who compiled the exe could have placed that Microsoft Corportation
info there.

I am trying to figure out a way to get rid of the files without completely
destroying them and maybe submit to Symantec. Maybe I will just rename the
files, download them to my local FTP server, place them on a CD and then
delete.

Thanks for all yhour help.

"Newell White" <NewellWhite@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8E950548-8BB7-4E92-AFBF-77408DC58F06@xxxxxxxxxxxxxxxx
Forgot to add, have no netman*.exe on hard drive of our W2k3 std SP2
server,
but this does not have 8-Jan patches yet.

If you can find these files, what is the created and modified date/time?
May
be worth checking for all files modified within 2 minutes of this to see
what
else you may have.

--
Regards,
Newell White


"Newell White" wrote:

I would be surprised if default local security policy was wide open.

The villain may not be trying to log in - could be trying to establish
credentials for a scheduled task or a service - rename the task/service
after
each failure and this might reset the lockout count.

What does Event Viewer reveal in the Security log?
--
Newell White


"John Kotuby" wrote:

Big thanks on the response Newell!

I will apply your suggestions immediately.
Maybe I will create 2 Login Accounts with Admin/RDP priviledges, just
in
case one of them gets locked out.
For some reason I thought that Local Machine policy already defaulted
to
lockouts after 3 tries. Obviously that is not the case after what I
have
experienced.

"Newell White" <NewellWhite@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:412A3FB5-1FF5-4668-866E-5AACDC213C36@xxxxxxxxxxxxxxxx

"John Kotuby" wrote:

Hi all,

Note: this is cross-posted on the Server.Security group but there
is
little
action there.

We lease a non-managed Web Server running AV software but no IDS.
It is
Windows 2003 STD which receives automatic nightly Windows Security
patches
at
3AM.

When I logged into the RDP console on Monday I saw what looked like
a
Password Cracking software running with the name at the top of the
window
E-Security. It looks like it had gone through 69,914,496
permutations
already.

Apparently somebody hacked in through a nearly wide open front
door,
Remote
Desktop on a standard port. Also installed were 2 network packet
sniffing
programs PacketX and WinPcap.
I went into Task Manager and killed a program I did not recognize
netman24.exe. I killed it and also saw about 12 instances of
CheckingThread.exe disappear.

I did not want to click the Close button in the program because who
knows
what that might have done.

Looking in Services, right under Network Connections there were 3
other
similar services all claiming to be Microsoft.
Network Connections 24
Network Connections 32
Network Connections 64

Doing a search on Microsoft for netman24.exe brought up nothing.
Doing a similar search on Google brought up nothing.
Same for Symantec.

I changed the Startup Option on Network Connections 24 from
Automatic to
Manual. I have not gotten rid of those services or programs yet in
case
they
are valid.

Maybe the connection between netman24.exe being killed and
CheckingThread.exe instances disappearing was coincidental but I
don't
think
so.

Anyone else seen anything like this or recognize these programs as
valid?
I
have not yet removed them from the server.

I have since made some changes to re-secure the server. I need to
learn
how
to quickly set up VPN access using only a remote connection...such
that I
can configure it first and then still have access to to the desktop
after
it
is activated, if that is possible. I don't need an article steeped
in
theory
and we are not talking active directory, just a standalone Win2003
STD
remote server. So I am looking for a setup that uses only 1 server
for
both
VPN and Remote Desktop Access. If someone can point me to such an
article
or
tutorial I will be grateful. I am a software developer under a very
tight
schedule, not a trained server manager.



Thanks for any input...

--
"Building a better mouse trap doesn''''t necessarily make it better
for
the
mouse."


Can't help you on VPN, but two steps you have probably already taken
are:

1) Don't allow built-in Administrator accounts to use Remote Desktop
or
Terminal Services. Create an administrator-privileged account with
arbitrary
name and strong password to access the server in this way.

2) Use Admin Tools, Local security settings, Account lockout policy
to
lockout for 30mins after 7 login failures

--
Regards,
Newell White








.