Network Hacked Into - Advice Needed
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Network Hacked Into - Advice Needed

  1. #1
    Senior Member
    Join Date
    Aug 2001
    Posts
    356

    Network Hacked Into - Advice Needed

    At my job we have two Windows NT 4 machines. Recently we noticed in our router logs more traffic than usual. We did a little research, and low and behold our two NT 4 machines were penetrated somehow. We haven't the slightest clue how someone got in.

    Well the cracker installed RhinoSoft Serv U FTP. It runs in the background on high ports and is hard to discover. I called RhinoSoft asking how to remove the software and they gave me the old "backup and format". Those guys are bastards. I remember the days they were releasing black hat programs. We all know who's side they're really on. Anyway...

    We disabled the software yesterday. But this morning the files were reinstalled and it is back. So somehow this cracker keeps getting in. I'm currently downloading some port scanners and security scanners. Other than that I am at a dead end.

    I don't want to wipe out these systems. There are so many sites on each machine. Suggestions?

    ----

    Additional Info: (Copy of my post later in thread):

    I downloaded an Active Port Viewer. There is an .exe file: c:\WINNT\system32\srvohk.exe It is listening on ports: 8000 and 43958. This is clearly the trojan.

    Files the hacker uploaded were stored in:
    E:\RECYCLER\S-1-5-21-713979624-1589857245-60295696-600\CON\COM1\

    I was able to move the files out of that directory, but I cannot remove the directory because of the reserved "CON" name. Anyone know how I can remove this? I tried using MSDOS and it won't let me. It is not a read only file. I do have admin permissions.

    ----

    Updates: Killed the srvohk.exe process, and deleted the file from system. I was able to delete the CON directory using the RM utility. (Thanks DjM). I am currently checking out the processes that are running, and doing a complete port scan on the system.
    An Ounce of Prevention is Worth a Pound of Cure...
     

  2. #2
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Suggestion 1) Install a snort or some other network intrusion box.
    Suggestion 2) Mirror whatever ports are being used by the two NT boxes to the NIDS and do a complete packet dump. Disable the software, 'watch' what the person does.

    Suggestion 3) Backups of critical systems are essential and this is why. Take the data from the web sites and scrub the system. That is the only way you can be 100% sure that the intruder has been removed.

    Suggestion 4) Make sure that all your systems are patched and up to date.

    Suggestion 5) Do a complete trust analysis of the systems in question in relation to the rest of your network. It is possible their access could have spread throughout your network using any trust relationships. Perhaps that is even how they are getting into your server.

    Suggestion 6) Don't change or alter anything before this. Use the NIDS to grab more evidence, ghost the drive (make 3 copies). One copy for you, keep original unaltered, last copy for the police. Report the crime. Use the last drive to do more analysis. Do not change the original drive, it will be important evidence.


    Hopefully from suggestion 1 & 2 you will see how the person keeps getting in. You have alot of work to do. I am sure more will come to mind in a bit, but that is what hit the top of my head.

    /nebulus

    EDIT: Suggestion 7) After ghosting the drives and making backups, try something like nessus to do a vulnerability check of your systems, maybe it will turn up how they got in.

    Good suggestions on checking router/firewall logs and/or policy.

    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  3. #3
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    I hate to state the obvious, but is there any information laying around in the event logs that can shed any light on this?


    Cheers:
    DjM

  4. #4
    Senior Member
    Join Date
    Jul 2001
    Posts
    461
    It would of course be usefull to know how they managed to get in, that may well lead you to discover something that has been misconfigured. I.E. your firewall.

    Are these boxes directly on the internet? If not, why is your firewall allowing inbound traffic to the high numbered ports on these boxes? Was it an inside job?

    Do you have any logfiles from your firewall or your router which could give some insight into which ports they were connecting to?

    I don't have any specific ideas, except maybe to run a vulnerability scanner like SAINT against them and see what info it give you.

    I know this is less than helpful to you, but cut your losses and....

    "backup and format"

    Then reinstall and patch, and patch, and patch.

    Unless you use a package such as tripwire which could tell you exactly what has been changed on the server, I would never trust it again. Even if you do manage to remove the software they installed.

    If you don't have any relevant log files from the router firewall or the machines themselves(wouldnt trust them) you are going to need to be able to take these machines offline for a good period of time to troubleshoot what happened.

    It would make sense to replace the drives, reinstall, patch, set the sites up, and then look at the drives at your leisure to figure out what happened.

  5. #5
    Senior Member
    Join Date
    Aug 2001
    Posts
    356
    Here is some more info for you guys...

    I downloaded an Active Port Viewer. There is an .exe file: c:\WINNT\system32\srvohk.exe It is listening on ports: 8000 and 43958. This is clearly the trojan.

    Files the hacker uploaded were stored in:
    E:\RECYCLER\S-1-5-21-713979624-1589857245-60295696-600\CON\COM1\

    I was able to move the files out of that directory, but I cannot remove the directory because of the reserved "CON" name. Anyone know how I can remove this? I tried using MSDOS and it won't let me. It is not a read only file. I do have admin permissions.

    I still don't know how this person got in.
    An Ounce of Prevention is Worth a Pound of Cure...
     

  6. #6
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    As with any such attack:

    1. Turn off all internet connections and unplug all internal networks between machines (for instance, turn off your switch)
    2. Take images of the HDs of all affected (and any suspected affected) machines, for forensic analysis.
    3. Take full backups of everything if you don't have any current ones already (test these before you flatten the boxes)
    4. Reformat all affected boxes and any other boxes which trusted the affected ones in any way. In a Windows NT network, this will almost certainly mean every workstation, because you probably logged in as administrator at some point on the affected boxes. Reformat them separately, and do not reconnect the network to any machine until after it has been reformatted

    Then the fun part starts

    5. *very carefully* start restoring your backups. Check any executable or suspected executable content (including word docs, etc, which may have malicious macros) for modification. If at all possible, delete all executable content from backups and re-create it (or get it from read-only media, or downloads from vendors (on a clean machine of course, attached for this purpose))

    6. Reinstall all software and patch absolutely anything that you can. If the a Windows FTP server is your main suspect, it might be an idea to change vendor.

    7. Re-issue all usernames and passwords (all domain accounts will have been wiped during the reinstall, do not restore domain accounts from backups (duuh)). Make it very clear to users that under no circumstances are they to change their passwords back to what they were before.

    8. Install something like tripwire with your now clean system, to record all protected files before an attacker gets another go

    9. Re-connect your internet connection.

  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I'm inclined to agree with Nebulus.........

    The event logs in windows are really not great in these situations since half the time they show only a fraction of what occurred.

    Get yourself an oldish box with a big HD and a bit of RAM. Do not bind any services to the network card and put it on a _hub_ right inside the firewall so it can see all traffic going in and out but it cannot be seen itself.

    If you are an all windows kinda guy use Win2k or XP pro. Get the win32 port of Snort and install that and watch.

    If you want to be a bit more fancy use Ethereal and capture all the traffic going to these two boxes and see if you can ID the offender. Then use Ethereal to capture every packet to and from the offending IPs _and_ from the two compromised boxes for a few days. Keep disabling the software so they have to keep coming back. That gets you a nice big evidence trail _and_ it helps to assure you that they have not stepped off the two servers onto other machines.

    Then go through the other things that the chaps have said to restore the boxes.

    Finally..... Logs - logs - logs!!!!!! Log everything you can. The firewall, a snort box at least, routers, traffic to and from exposed servers etc. etc. etc. In the situation you are in now you can never have too much info - but you sure as hell can have too little.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #8
    Senior Member
    Join Date
    Aug 2001
    Posts
    356
    Nothing worth while in the event viewer.

    I still need to delete that CON directory. Ideas anyone?
    An Ounce of Prevention is Worth a Pound of Cure...
     

  9. #9
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    According to Micro$oft, reservered names cannot be used for file names:

    The following reserved device names cannot be used as the name of a file: CON, PRN, AUX, CLOCK$, NUL, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, and LPT9. Also avoid these names followed by an extension (for example, NUL.tx7).
    In your case they are in a directory name? I can't find info on that.

    I do have admin permissions.
    That's fine, but who is the 'owner' of the directory. I have had issues with that before even though I was logged on as admin.


    EDIT: Check that I just found this on Technet:

    You would need to try to reference a path that contains more than one DOS device name. The operations by which this could happen are familiar file and folder access operations Ė reading a file, listing a folderís contents, etc. Under normal conditions, this problem is unlikely to occur. Users cannot create files and folders whose names are reserved words like DOS device names. Because of this, it would be very unusual for a user to try to access such a file or folder. For example, it would be very unlikely that a user would try to list the contents of C:\COM1\COM1, since it is impossible for him to have created such a folder. However, a malicious user might use this vulnerability to try to cause other usersí systems to crash.
    The interesting thing here is it say's that type of folder cannot be created (Ha Microsoft), not sure, but this might be time to give Tech Support a call.


    Cheers:
    DjM

  10. #10
    Senior Member
    Join Date
    Aug 2001
    Posts
    356
    Yea, It's messed up. Not even supposed to be able to create a directory named "CON". But it is there. I did some research and could not find any info on how to delete it. One guy said he was able to using a MAC.

    There has to be some way to get rid of that directory.
    An Ounce of Prevention is Worth a Pound of Cure...
     

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •