October 13th, 2002, 06:12 PM
Windows 2000 Server Compromise
Dear Windows Admins,
Recently, one of our Windows 2000 web servers appeared to be suffering an odd glitch. The sites hosted on the machine no longer allowed anonymous access. All sites required a password to view. The first thing we did was move the machine to a private LAN and restore the sites from tape to a newly formatted machine with all updates/patches applied.
Some background: this machine had a past infection of the Spida worm, which we assumed had been taken care of by our overpaid admin (now looking for work). I believe it also had Nimda at one point.
Apart from the Spida worm infection, what else can I look for? It's apparent that someone changed permissions to cause the web sites to be unavailable to anonymous viewing. I also saw that some accounts on the machine had been lcoked out, so either someone was trying to access the accounts and hit the limit (3 tries) or someone was in the machine and locked the accounts out so the valid users couldn't get in.
I'm not a Windows person, but am in the position of having to maintain these servers now (because the person we trusted to do it was apparently not capable). I need some guidance in finding some forensic tools I can use to determine how many vulnerabilities were exploited and by whom. On a linux machine, I'd know right where to go for logs and necessary toolkits. No clue in Windows!
My gut tells me the former admin was not involved in any of this, because he was hardly able to make a show of compentence as a Windows administrator. BTW, he has applied for unemployment, and I am charged with writing a report to show the state why he shouldn't be allowed unemployment benefits, based on his negligence here.
Thanks for any help!
October 13th, 2002, 07:08 PM
For general background try this:
Securing an installation of IIS 4/5. (No, seriously)
For more detail on IIS logging try this:
Building your own IDS tripwire.
These might also be useful for reference:
HTTP/FTP ServiceStatus codes
Web based IIS administration (ADSI)
Backing up the IIS metabase.
Hope that helps. If you need anything more you'll need to be a bit more specific about services config etc. Feel free to mail me if you are still having problems.
\"I may not agree with what you say, but I will defend to the death your right to say it.\"
Sir Winston Churchill.
October 13th, 2002, 07:27 PM
Thanks very much for the info. It will help me to make sure the other servers are in good shape. I have been running some tools to check them out (Stat analyzer, port scanning, etc).
Do you know of a forensics tool that can be used to locate inappropriate files on the machine? (like coroner's toolkit on unix systems).
The network connection on the machine is disabled, and the machine is not needed. I'm mostly interested in the investigation of the incident as a means of learning more about Windows security.
Just a few weeks ago, I attended a SANS "Securing Windows 2000" seminar, so I am getting some practice on the other machines.
October 13th, 2002, 09:31 PM
Inappropriate files on the machine? Such as Worms, Virii, Bots, or Spyware? If your looking for that, search google.com for that kind of software or you can use tools such as Swat It or any other form of bot/spyware/trojan detectors. I'm not quite sure what you are asking so if you can let me know, Ill try to help you more.
October 13th, 2002, 11:27 PM
>>All sites required a password to view. The first thing we did was move the machine to a private<<
If I had a dollar for every time this happened to me. Its a permission issue. Check your IUSR and/or IWAM permissions on the folder in question. It may be another issue but this is usually caused by global permission change on your system. You can also check IIS to see if anonymous http is enabled.
October 15th, 2002, 10:46 PM
Check if the anonymous user IUSR_MACHINENAME (by default) has been locked out somehow.
The favourite trick is that their password has expired - make sure that "password never expires" is selected. Under some circumstances it seems that this setting can be pushed down from domain policies, so that may have broken it.
October 16th, 2002, 12:20 AM
For some decent info on hardening Windows and Win2k check out the Sans reading room http://www.sans.org . They have some pretty decent papers in there on windows and IIS security (as well as any other thing you want relating to security) and it's free.
"When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
"There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
"Mischief my ass, you are an unethical moron." - chsh
Blog of X
October 16th, 2002, 12:30 AM
when you find a trojan the best thing to do is fdisk or replace the mach as you did. if some one was in, you really have no idea what they might have done. Any 'fixs' are just guesswork.
if you don't have some kind of auditing enabled, you could be trying to figure out what they did for a long time. And the lock-outs might be an oversight as suggested, although that is highly suspicious.
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”