Re: Compromised Server? Anyone recognize the suspect Services?


"John Kotuby" wrote:

Update...
I finally discovered that there was a whole folder structure under
windows\system32\drivers. Inside one of the folders was a program called
SYNattacker.exe by a Chinese company;

Nygen Hoang Informatics

There was also an XML file with target= <a certain website>

I have located the owner of the website using Whois from Network Solutions

"John Kotuby" <JohnKotuby@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:%23CNzLJ7UIHA.4696@xxxxxxxxxxxxxxxxxxxxxxx
Newell...

Note below that the created date on the netman24.exe file is Jan 6 2008
1:44PM.

Event viewer shows normal logins, but I did not have it set to record
failed logins. I have changed that.
However, there are a bunch of logins for Website Accounts created by the
Plesk control panel. The login accounts are for web sites that are on the
machine but I did not think were being used since over a year ago. I did
give a consultant FTP login info for those sites. Howeveer, hwo could and
FTP login explain the programs that were definitely installed, and not by
me. Forunately the packet sniffer programs showed up at the bottom of the
Start/Programs listing.
That is why I am assuming desktop access.

There are also a number of account logins by the Plesk Administrator
account. I have not used the Plesk Control panel in a few months at least.

I think I will just get rid of all extraneous accounts. Server management
is certainly not my forte.

I did a search on one of my Windows servers in the office here that has
been patched on January 9 and find no netman*.exe either. However, in
order to find those files on the Web Server I had to make sure that System
folders were being searched.

The file on the compromised server is found in C:\Windows\system32\drivers
of all places. This is another indication of a rogue file. I got a message
from a friend that said any file named netman*.exe is suspicious.

There was also another file located there "netman24.def" with the
contents:
<?xml version="1.0" encoding="UTF-8"?>
<luxibe name="Netman24" displayName="Network Connections 24"
description="Manages objects in the Network and Dial-Up Connections
folder, in which you can view both local area network and remote
connections." binary="netman24.exe" startup="Automatic"
desktopInteract="no" dependenOn="" antecedentOn=""/>

Which is basically the same info that showed up in the Services area.

Right-clicking properties on netman24.exe shows:
Created - Sunday Jan 6 2008 1:44 PM (must have been Pacific time as the
server is on the west coast of US)
Company - Microsoft Corporation
Version - 5.01.0026

However, as i mentioned a search for netman24.exe on Microsoft brought up
nothing.
Anyone who compiled the exe could have placed that Microsoft Corportation
info there.

I am trying to figure out a way to get rid of the files without completely
destroying them and maybe submit to Symantec. Maybe I will just rename the
files, download them to my local FTP server, place them on a CD and then
delete.

Thanks for all yhour help.

<snip>
In general you don't have to delete malware - renaming it to
zzx_originalname thwarts the start-up mechanism.
But of course the bad guys may have installed another program to copy a .jpg
or something and rename it to originalname.exe whenever that goes missing.

If a web-surfer is victim of a drive-by, then all of these files are
downloaded within the 2-minute interval I mentioned.
But in your case the bad guys have had opportunities for multiple accesses
over a period of time, and Danny Sanders is spot-on.

A driving analogy - the PC is a motorbike (on which you can get yourself
hurt), a server (particularly a public one) is a big truck which can hurt
many.

By the way, e-securityseems to be a legit program to co-ordinate
packet-sniffers etc. and report results - therefore a good recce tool for
villains.

--
Regards,
Newell White


.