RPC DCOM MS03-026 HACK

  • Thread starter Thread starter JJ
  • Start date Start date
J

JJ

Hi,

I have a win2k server which until recently had no problems.
2 Weeks ago I installed all available updates including SP4.

I then went on holiday for a week.
In that time, my machine was hacked using the DCOM exploit.
It shows up in the event log as dcom calls, then the rpc stops working and
gradually all the web sites fail as visitors access them.

I had no idea what had happened, and didn't realise that my machine had been
hacked.
However I installed the 2 critical updates on the server which became
available through windows update last week.

The RPC/DCOM still happened after that though, so I installed the MS03-026
patch on it's own.
After that the RPC/DCOM exploit happened again, so I can only presume that
the Microsoft patch did not fix my server.
In hindsight, perhaps this was as the result of something the hackers did.

Anyway, as the websites kept failing (The server was ok apart from iis) I
kept investigating.
I searched for files which had been created in the last week, and guess what
I found...!!!!!!
A whole stack of German DVD's!!!, an FTP server, A back door service, and
other dodgy files.

I have since removed the files, and resecured the server as much as
possible. Clearly the only real option is to reformat the drive, but I am
hoping that perhaps the hackers will leave me alone as I discovered the ftp
stuff quickly.

On my travels though I thought i'd see exactly how the hackers are doing
this stuff, seeing as this information would clearly be useful to protect a
system. The most interesting site I found was a site (I was going to mention
it, but i'd better not) which literally had code to perform the dcom exploit
and also a port scanner 'x-scan' to locate vunerable computers.

Microsoft really needs to be looking at this site in particular, as most
other sites seem to get there info from it.
Additionally the site also mentions that the MS03-026 fix does not fix all
systems.

To summarise, this is an extremely dodgy business to be in, and all I can
suggest is a ghost type backup every night to save massive reconfiguring!

Any Comments are welcome!

JJ
 
BTW, what I failed to mention was that the only way to stop the crashes for
me, even with the security patches has been to disable DCOM.

It is a web server with sql server and livestats on it, and has had no
problems.

Thanks

JJ
 
If you think the patch failed to protect you against further DCOM RPC
exploits, you could call Microsoft support for free at
www.microsoft.com/support

I'm pretty sure Microsoft has full time employees that do nothing but track
down warez sites, especially one so common that you found it through a quick
search. Removing such sites is hard with sites being in various countries
with various laws, and sites come up as quickly as others are brought down.
You really can't halt this sort of information, even if you wanted to.

Um, it sounds like you're not running a firewall. This is exactly why you
need to be running a firewall. There are even free firewalls out there.

http://securityadmin.info/faq.htm#firewall

Also, you don't just need one patch, you need them all, especially if you're
running a web server without a firewall. This is not the only exploit that
affects DCOM or RPC or that uses the NetBIOS ports.

Just disabling DCOM without running a firewall allows all sorts of things to
happen on other ports, such as your server leaking password hashes outbound
[this is reportedly a way that web servers are frequently hacked], people
installing remote access trojans or IRC back doors or keystroke loggers or
sniffers that send data outbound, etc.

Once a server is compromised, just installing a patch is not necessarily
enough. Installing a patch does nothing to stop the FTP server or remote
control back door that could have been on your server. Are you sure the
"second hack" happened through DCOM? Or through this particular
vulnerability?

Here are some other things you may want to do to secure the server:

http://securityadmin.info/faq.htm#harden

also:

http://securityadmin.info/faq.htm#hacked
http://securityadmin.info/faq.htm#ftpfolder

Hope this is useful?
 
Back
Top