Server hacked or What?
Page 1 of 2 12 LastLast
Results 1 to 10 of 20

Thread: Server hacked or What?

  1. #1
    Did someone said Pizza :) FanacooL's Avatar
    Join Date
    Oct 2004
    Location
    Karachi , Pakistan
    Posts
    466

    Server hacked or What?

    Hi Gals/Guys

    My server is behaving very strangely from last 3 days. What happening is that it get restarted automatically after showing that screen of memory dumping. I checked the services and found that few of them are really strange although some of them were disable but they really look fishy.

    I have attached the snapshot of the services.

    I asked my Manager about this and he told me that this happened 5 months ago and he had to re-install the OS ‘cause he couldn’t find a solution to rectify this problem. Apart from services I am also attaching few of the logs which look really strange to me. Hope you people can help me.

    My AV is updated, windows is also updated, I have scanned the system 2-3 times for viruses, Microsoft antispyware is also running.

    Operating System is Windows 2003.

    Awaiting your replies
    One machine can do the work of fifty ordinary men. No machine can do the work of one extraordinary man!

  2. #2
    Okay heres what I'm seeing(going to be doing some talking out loud so bear with me). The first unusual happenstance is at 2/10/2006 10:28:49, where a computer with the hostname of "FAIZA$" attempts to connect. Simultaneusly the MCshield service fails. I know that its a multi-proc system so it is entirely possible. Don't know if thats related.
    There seem to be a lot of invalid users trying to connect. Do you have firewall logs as well? Because then we could check to see if these users are coming from the same IP/MAC address.

    Heres the list of users that are invalid:
    KHIDAYAT
    IHAFEEZ
    MUNAZZA
    IMRANYOUNUS
    TEHSIN
    ZIAULHAQ
    KNAFEES
    (note this list is by no means complete)

    And those names repeat quite often.

    Hmm, strange, yet another "stop error" occurred when the user FAIZA tried to connect...

    This could also be a problem: "The CPUs in this multiprocessor system are not all the same revision level. To use all processors the operating system restricts itself to the features of the least capable processor in the system. Should problems occur with this system, contact the CPU manufacturer to see if this mix of processors is supported."(bold added by yours truly)


    The many, many, many attempts to connect by unauthorized users worry me. If you have firewall logs and tcpdump/windump information we would be able to help you better. Of course also follow up on the processor problems. I think thats the most likely issue.

  3. #3
    Banned
    Join Date
    Jun 2005
    Posts
    445
    Ok... as far as services go...


    WTF is a Gray Pigeon Server?
    WTF is Chong3 Me?


    Just curious... I don't work with Windows too often, but these seemed odd....

  4. #4
    Did someone said Pizza :) FanacooL's Avatar
    Join Date
    Oct 2004
    Location
    Karachi , Pakistan
    Posts
    466
    Both the services are virus attempts that i managed to disable.

    Locked

    All these are my internal users.... I mean authorized users. I am not sure my i am receiving this invalid users, they are defined in AD and as well as DNS
    One machine can do the work of fifty ordinary men. No machine can do the work of one extraordinary man!

  5. #5
    Senior Member bAgZ's Avatar
    Join Date
    Jul 2001
    Posts
    206
    There are some funny services there which are disabled but i see your mcsheild is
    getting terminated check that you don't have anything running on the machine that
    is not suppouse to be there.

    There seems to be a whole bunch of netlogon failures and sign on failures.
    Some of these errors suggest your client tries to sign or seal the
    secure channel or something to that extent. I would check and try to disable
    "Digitally encrypt or sign secure channel data (always) policy". I could be way
    off but check your secure logons anyway.

    Also another error suggest that machine account failed to authenticate, which is
    usually caused by either multiple instances of the same computer name, or the
    computer name has not replicated to every domain controller.
    Hope this helps you.
    ----------------------------------------------------------------------------------------------------------
    "If I'd asked my customers what they wanted, they'd have said a faster horse." ~ Henry Ford

  6. #6
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    AFAIK Gray Pigeon is an OpenSource(?) RAT (Remote Access Trojan)..

    http://www.megasecurity.org/trojans/h/hgz/Hgz_all.html
    http://www.sophos.com/virusinfo/anal...graybrdam.html

    I highly recommend taking the server off-line.. Backup the important data and reinstall from original media..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  7. #7
    Banned
    Join Date
    Jun 2005
    Posts
    445
    That's what I figured.


    It's not enough that they are disabled. They have to be REMOVED.

    And since you seem to have been rooted... Reformat/reinstall.


    It's the only safe thing to do.

  8. #8
    Did someone said Pizza :) FanacooL's Avatar
    Join Date
    Oct 2004
    Location
    Karachi , Pakistan
    Posts
    466
    About those failures logins, all of them are the users which are not on Domain so thats why we are getting message from them.

    Well i have done the thing.... Reinstallation..... The last solution for Windows n best i think cause if you are not getting at the end of the problem, take the backup and wipe out the windows.

    Anyways d0pp you said disabling the service is not enough i should remove them, well that what i wana know now. Is there a tool available to delete the services completely from the system for windows?.
    One machine can do the work of fifty ordinary men. No machine can do the work of one extraordinary man!

  9. #9
    Have you been making any configuration changes to this box? There are some odd entries in that log -- disabling of lots of services (SavRoam, Smart Card, RSoP, Remote Registry, Mainboard Monitor, Distributed Link Tracking Client) is the most surprising.

  10. #10
    Did someone said Pizza :) FanacooL's Avatar
    Join Date
    Oct 2004
    Location
    Karachi , Pakistan
    Posts
    466
    @tt!tud3

    As i said that after getting that screen dump problem, i looked into the services and every service i found fishy i disabled it...... After doing that system starting too much trouble....

    Anyways if you see the screenshot and come to service Mainboard Monitor and see its description its showing something relating with FTP access to clients although the service name has no connection to FTP so looks fishy too me few of the others looks suspicious or useless so i disable them.
    One machine can do the work of fifty ordinary men. No machine can do the work of one extraordinary man!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •