Server Comprimised

[Bernie]

We have a IIS loaded on 2000 Server, this morning I logged
onto the server (server is on DMZ) using administrator
account and password. I then proceeded to install an
application (trojan remover - Had a web visitor call into
the company saying when he visited our website a Trojan
attempted to install onto his PC) ), but I then got a
message saying I was not logged on as administrator? I
logged off (noticed that I only had "log of as
administrator" option - no shutdown option under "shut
down", I proceeded to log off, logged on again with same
password.. still same results when trying to install. I
went into computer admin to try view user accounts and got
the message saying I was not logged on as administrator!

I then used Run As command to install the TR.. I was
prompted for administrator password, and got error message
about wrong password! I then started entering in various
words.. and whola.. "password" worked as the password, I
installed Trojan remover. Logged off the server, entered
in "password" as the password.. and I was logged onto the
server, I proceeded to Computer admin, changed
the "password" for administrator account and it worked, I
was now logged on as administrator. I ran TR and it found
wolfmd.bat in programs\startup. I have found that
wolfmp.bat is a keyboard capture utility, I am right? I
have also found that it could be related to Wolfenstein
game servers? I removed wolfmp from startup. I have since
found wolfmp.bat shortcut in \HKEY_USERS\S-1-5-21-
18....\console\wolfmp.bat

I then installed Spybot, and it found DSO and Alexa.

I guess where I am going with this is this;
I keep my servers up to date with patches and AV
protection at all times, and do not use easy to guess
passwords.
What else can I do, and what can I do to further
investigate what was done?
How would the Windows 2000 server let me log on
as "administrator" user account with 2 different
passwords? One with no rights, and one with full admin
rights? This server used to be on our local Domain, I
changed that when I came onboard.. could it have been
using cached password from the old domain, and not using
the local user account?
How can I find out if I my IIS server is being used as
game server?

Hope this makes sense to you guys

TIA - Bernie

 

[Laura E. Hunter \(MVP\)]

This is a long-standing debate, but I am of the opinion that you can't
really trust a compromised server again unless you rebuild it again from the
ground up using known-good media. The difficulty lies in the fact that once
a bad guy gets their own software to run on your server...it's NOT YOUR
SERVER anymore. Even if you run every Spyware and anti-virus scan
imaginable, you can never be 100% sure that you didn't miss something.

In terms of avoiding future compromises, standard hardening tactics are in
order:

* Only install software and services that you need
* Disable any services that you're not using
* Stay up-to-date on anti-virus signatures and security patches
* Use a software- or hardware-based firewall to limit who can connect to the
machine, and what they can do once they get there

 

[Bernie]

Laura,

I agree with you on it not being "our server" anymore.

As far as the standard reccomentation:

* Only install software and services that you need

Only non- IIS needed app was Webtrends

* Disable any services that you're not using Did that
* Stay up-to-date on anti-virus signatures and security

patches
Did that- I check server patches once per week, and update
AV defs every Thursday and Monday AM

* Use a software- or hardware-based firewall to limit who

can connect to the machine, and what they can do once they
get there
I use Hardware Firewall, and have the IIS server isolated
from the LAN by placing it on DMZ.

This server also serves as my primary NS server, and also
host DNS server, it's going to be a major task to
completly rebuild and reconfigure the server, but
something I agree with I need to do

-----Original Message-----
This is a long-standing debate, but I am of the opinion that you can't
really trust a compromised server again unless you rebuild it again from the
ground up using known-good media. The difficulty lies in the fact that once
a bad guy gets their own software to run on your server...it's NOT YOUR
SERVER anymore. Even if you run every Spyware and anti- virus scan
imaginable, you can never be 100% sure that you didn't miss something.

In terms of avoiding future compromises, standard hardening tactics are in
order:

* Only install software and services that you need
* Disable any services that you're not using
* Stay up-to-date on anti-virus signatures and security patches
* Use a software- or hardware-based firewall to limit who

can connect to the machine, and what they can do once
they get there

 

[Lanwench [MVP - Exchange]]

Laura,

I agree with you on it not being "our server" anymore.

As far as the standard reccomentation:
Only non- IIS needed app was Webtrends
patches
Did that- I check server patches once per week, and update
AV defs every Thursday and Monday AM
can connect to the machine, and what they can do once they
get there
I use Hardware Firewall, and have the IIS server isolated
from the LAN by placing it on DMZ.

This server also serves as my primary NS server, and also
host DNS server, it's going to be a major task to
completly rebuild and reconfigure the server, but
something I agree with I need to do

I agree with Laura, too. I'd also consider putting IIS (or whatever
webserver you choose) on another dedicated box - don't run your DNS on it.

 

[Bernie]

Thanks for your feedback

-----Original Message-----


I agree with Laura, too. I'd also consider putting IIS (or whatever
webserver you choose) on another dedicated box - don't run your DNS on it.


.

 

[Jeff Cochran]

First, get this server offline now. Second, if you intend to do any
forensic work or potentially prosecute, pull the drive. If you want
to start the prosecution process, call the FBI before you do anything
else.

Once that's done, wipe the system and rebuild from scratch. You were
compromised, you don't know how and you don't know what else may have
been changed/installed. Restore data only from a known good backup.

Follow the hardening process at:

From Blueprint to Fortress: A Guide to Securing IIS 5.0:
http://www.microsoft.com/technet/prodtechnol/iis/iis5/deploy/depovg/securiis.asp

Also see:

Security Checklists:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/Default.asp

Hit http://securityadmin.info/ as well.

Make sure your firewall is tight. Make sure all critical fixes have
been done. Remove unused services. And never use the server as a
workstation.

If you are *not* intending to prosecute or report this, only then
should you do any forensic work yourself. securityadmin.info has some
decent starting help for that, but make sure you have preserved all
your logs. Make sure you're prepared for the next time by auditing
access and any other options you feel necessary. Changes to user
objects may be one you want to audit.

And then, when you have everything as good as it can possibly be,
watch it like a hawk. Keep up to date on everything, all the time.
Or pay someone to do it for you.

Jeff

 

[Bernie]

Jeff, thank you very much for your valued info.

I have started the reload process onto another spare
server I have (not often one has a "spare" server) I will
then take the current one offline and do complete reload
to have as spare. I spent 6 hours yesterday cleaning the
IIS, and was astonished to find how much it had been
tampered with. When all done I will post a follow up on my
findings.

Bernie