Advice request: Backdoor hack on Windows Small Business Server 200

Discussion in 'Server Security' started by Michael Friedman, May 25, 2005.

  1. I recently experienced an invasion on my server and am having trouble
    identifying the cause and means of removing the malicious software. I'll
    explain my process of how I determined this to give you an idea of what's
    going on.

    First, I noticed I was running out of hard drive space on the C: drive. I
    have a 19GB partition available using NTFS as my system drive. I didn't know
    where the sudden jump from 15GB of free space to 500MB came from, so I
    checked the folder properties of each root folder to get the amount of data
    stored in each folder. It added up to about 4GB.

    I deleted a bunch of temporary files and unnecessary information to get 15%
    free so I could do a degfragment. While defragmenting, I noticed in the
    status bar a series of file names that were not located anywhere on my
    computer-- a series of very long file names with "MovieZ" and "MP3" and so on
    in the middle. I realized someone has been using my server as a free storage
    depot.

    I have http and ftp services, but they are locked down. When I did a search
    for a file or folder containing "MovieZ" it was not found.

    Finally, I noticed a folder on my C: drive and E: drive (data drive) called
    "System Volume Information". I was denied access to it. I realized that this
    was the folder used for system restore points on Windows XP but I was running
    SBS 2003 so the folder shouldn't be there. I added the administrator account
    and found a single subfolder in this folder.

    The subfolder was a very long file name with "control panel" then a long
    GUID. Whenever I selected it, I got the control panel and control panel
    elements. When I did a folder properties on "c:\system volume information" it
    said I had 11GB of data in the folder, but I could not navigate to it.

    Finally, I renamed the "control panel" & GUID folder to "temp" and the hack
    was revealed: a long series of folders containing movies, mp3s, documents,
    etc all in French. I deleted it all, including the "C:\system volume
    information".

    The following day, I checked again and saw that I was getting pounded on
    network traffic but no sessions were open (I have a very small network) and
    none of my remote folks were using FTP or Outlook Web Access. I used network
    monitor to capture some data and found a single site from France and
    something.br. I use a firewall and I used it to block those IP addresses. The
    traffic stopped.

    However, I noticed the "System Volume Information" was back, along with a
    new 900MB of stuff. Clearly some app is still on my system that goes remote
    and synchronizes somewhere. Norton Antivirus Corporate 8.0 does not see any
    viruses. Adaware eliminated only 2 spam cookies.

    I went to Microsoft's security site and downloaded the security analyzer
    (which is great) and it exposed risks in my SQL Home Edition, SBS, Exchange,
    and MSXML. I patched all of these late (very late) last night.

    So, I believe I have a handle on the security and where the issue is
    located, but am unable to determine what is causing the addition of the
    "system volume info" folder and it's french junk. I'd like to be rid of it.

    Anyone experiencing these issues or similar, advice is appreciated. Of
    course, I will continue to search through the Trojan horse & backdoor hack
    reports.

    Thanks,
    Michael
     
    Michael Friedman, May 25, 2005
    #1
    1. Advertisements

  2. Michael Friedman

    Roger Abell Guest

    Interesting tale Michael. The good part is that it seems the exploit is
    one that is not deeply hidden, and that as they did want to use your system
    they likely were not ruthless in terms of damage to it.
    Assuming that what is used is not deeply rooted and stealthed you could
    start with basic tools, like TcpView from www.sysinternals.com which
    would help you to identify the binaries that have bound to network ports
    (as you know one thing about the exploit you have suffered, that it must
    be allowing network access). If you are familiar with what services are
    normal, you could check the shown services for reasonability. While
    at sysinternals you should pick up the tools they also have available that
    1) will list out all common places an app can be set to start, and 2) the
    rootkit detection tools that will help with discovery of some rootkits.

    I have no doubt others will help you out by mentioning other avenues and
    tools from different sources, but the above would give you some initial
    sanity check info.
     
    Roger Abell, May 26, 2005
    #2
    1. Advertisements

  3. Roger,

    Thanks for the assistance... I will check out the tool you recommended.

    To further update: this morning I found a new folder, hung off a share on my
    server:

    "RECYCLED" and in it, the same control panel mask. In the first folder, I
    discovered the following files:

    admDll.dll 88k
    audio.exe 236k
    nc.bat 1k
    ntk-tpf.r00 14,649k
    raddrv.dll 29k
    radmin.bat 1k
    radmin.reg 1k
    serial.txt 1k

    The audio.exe process was running and once I killed it was able to delete
    the files and folders. Doing some initial searching, this remote admin setup
    is similar to W32.Remadmin as listed in Symantec Security Response. I haven't
    done a virus scan in safe mode, and hopefully that will find the problems,
    although I will continue to research -- a good learning experience for a
    novice admin.

    Thanks,
    Michael
     
    Michael Friedman, May 26, 2005
    #3
  4. Roger gave you great advice to get you started. If you have not done such be
    sure to run the IISLockdown/Urlscan tool on your server to further secure
    IIS. The tools he mentioned and Process Explorer from SysInternals should
    give you a good idea what is going on. Unfortunately the damage may already
    be done and a fresh install may be your best option along with more
    preventative steps before you attach to the internet again though it never
    hurts to try and discover what is going on and how it happened as a learning
    experience. Make sure that you are using strong passwords for your
    administrator accounts and double check the membership of all the
    administrator groups on the server and avoid using admin powers for mundane
    tasks and browsing the internet/email.

    Firewall logs could also have alerted you to suspicious activity as could
    the security logs if you have enabled auditing of logon events and increased
    the size of the security log to at least 10MB. Trend Micro also makes a free
    tool to scan for and remove malware called Sysclean available at the links
    below. Just download it and the pattern file to the same folder, unzip the
    pattern file and then execute Sysclean. --- Steve

    http://www.trendmicro.com/download/dcs.asp
    http://www.trendmicro.com/download/pattern.asp
     
    Steven L Umbach, May 26, 2005
    #4
  5. There is a lot of information on these sorts of very common hacks, if you
    search for "ftp tagging" or "pubstro."

    Although your firewall seems to be blocking people from downloading files,
    it sounds like 1) your server could still be vulnerable with an open hole,
    2) attackers may still be remotely managing your server and 3) it is
    probably still running hidden FTP software somewhere, perhaps hidden by a
    root kit or perhaps that you just haven't found yet. [The fact that the FTP
    data files were visible to you makes me think that perhaps no root kit is in
    use.]

    The vulnerabilities you fixed are not the ones I would think let this to
    occur, although hopefully MBSA has made sure you now have all the Microsoft
    security patches installed. If an easily guessable password, insecure
    configuration setting or an unpatched program that MBSA does not check for
    was used, then there could still be a problem. If there were other missing
    patches that you installed and didn't list here, then it could be that you
    did find and fix the problem.

    You say that your FTP service is locked down, but do be sure that the
    anonymous user [such as IUSR] cannot both write and read to any one FTP
    folder. There should be a read-only download folder and/or a write-only
    upload folder.

    If you still haven't found the hidden FTP service [if there is one],
    downloading Hijack This and posting the logs to the Hijack This web forum
    may be helpful. Filemon from www.sysinternals.com may be helpful as well.

    For detecting intrusions, I highly recommend running a file change checker
    such as the free Languard SIM from www.gfi.com [you have to really search
    for it, but it's there, I swear] or Osiris on your servers. You have to run
    it a few times and tell it to ignore any files that change frequently that
    you are sure are supposed to be changing. Typically, these programs will
    run once a day and send you an email or create a log of any changed files.
    If you are hacked and a file changes, you might only be given one
    notification of the file change, so checking the log for every day is
    advisable. These tools do not necessarily detect root kit hidden files, but
    they may detect other files that a root kit forgot to hide.

    These links should give some info on looking for intrusions and on further
    hardening your system. MBSA is a great tool, but it alone is not a thorough
    check for server security:

    http://securityadmin.info/faq.asp#ftpfolder
    http://securityadmin.info/faq.asp#hacked
    http://securityadmin.info/faq.asp#harden
     
    Karl Levinson, mvp, May 28, 2005
    #5
  6. Karl,

    Wow, thanks for the great information! I appreciate your detail and
    suggestions.

    To follow up, I was able to determine the program binding: NeDDS.exe. This
    was listed in the services as a legacy Network service. Once disabled, all
    traffic back and forth on the server stopped. I believe there is still a
    vulnerability on the server that was activating the executable but since it's
    not there, it can't. I am still on the lookout (I was away most of the
    weekend). Fortunately, this server is not one of high risk and is more of a
    test server so, while very interested, I am not fretting too much. This has
    been a great exercise.

    Thank you all for responding so well. I hope I can return the favor sometime.

    Michael

     
    Michael Friedman, May 31, 2005
    #6
  7. Michael Friedman

    Roger Abell Guest

    I do hope that all empowered account (in your infrastructure, not just the
    accounts on that one machine) that might have been used from or that might
    be similar to accounts used upon that machine have had password changes
    after the time when the machine was last able to pass packets out.

    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
     
    Roger Abell, Jun 1, 2005
    #7
  8. Roger,

    You bet. I have also enforced a stricter security policy on password
    changes, length, and complexity. I was very casual about this to begin with.
    I also modified the way I handle my backups to better recover from future
    intrusions. I was fortunate that nothing was actually damaged.

    As probably a final note, one of the risks I noticed was that I was running
    a fairly old version of Symantec Antivirus Corporate (8.0) so I upgraded to
    10.0. It arrived yesterday and I updated it last night. On my first scan, it
    found "remacc.radmin" which appears to be the source of my troubles. The 8.0
    edition did not scan for threats. The offending dll and registry key was
    removed. It also found some unexpected viruses and ad-threats on two of my
    client machines.

    Thanks to all for the comments. I realize this is just a specific incident
    in ongoing vigilance against threats aimed at the novice and experienced
    admin. Field experience is the best experience!

    Michael

     
    Michael Friedman, Jun 1, 2005
    #8
  9. Steven,

    Thanks for your comments -- I wanted to make sure I replied to you because
    each person who has responded has provided very detailed valuable
    information.

    I have to admit when I was going through my MCSE training I was disheartened
    at some of the people who were just there to get the paper and didn't really
    care about what was going on or who they were going to "get as much money
    from as they could" by just doing the bare minimum on purpose. You and the
    other posters have restored my faith in detail, problem-solving, and
    experience!

    Thanks,
    Michael
     
    Michael Friedman, Jun 1, 2005
    #9
  10. Michael Friedman

    Roger Abell Guest

    But note that, as you stated
    <quote>
    I was fortunate that nothing was actually damaged.
    </quote>
    is in fact very hard to determine (if it is at all possible)
    in this day. Some current exploits are effective at hiding
    themselves by taking control over information that is shown
    in dir lists, reg lists, process lists, etc..
    There are a number of malware scanning tools available,
    a number of a free one-time check. Use of these would be
    worth the time if you are planning to keep that system as it
    is after cleaning. You may want to check some of the posts
    of MVP Malke. She has accumulated a lengthy listing of some
    of the better free checkers and advises on combinations of these
    to use, and has compiled this and a set of links at base of page
    http://www.elephantboycomputers.com/page2.html
    However, it does not cover rootkits and there are really no
    fully effective tools for these (today and likely ever) but one
    of the current best that does have success against the more common
    and less sophisticated is from Sysinternals
    http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml
    --
    Roger
     
    Roger Abell, Jun 1, 2005
    #10
  11. Hi Michael.

    Glad that my two cents helped somewhat. Thanks for posting back. I forgot to
    mention the excellent Antivirus in Depth Guide from Microsoft that you may
    want to read through sometime to prepare yourself better for the future. The
    community spirit is still very alive if you look in the right places! --
    Steve

    http://www.microsoft.com/technet/security/topics/serversecurity/avdind_0.mspx
    http://www.microsoft.com/technet/security/topics/serversecurity/tcg/tcgch00.mspx
    --- Threats and Countermeasures, another great read.
     
    Steven L Umbach, Jun 1, 2005
    #11
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.