Examining a compromised server. - Page 2
Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 31

Thread: Examining a compromised server.

  1. #11
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    Hi there ByTe,

    If Symantec is showing them up while scanning but they are not on the system I wonder what’s going on.
    That has got me thinking mate! ..................... looking at it from a reciprocal viewpoint: "What can Symantec see that I cannot, using conventional tools?"

    The ones that spring to mind are:

    1. RAM
    2. The page file

    I don't know about alternate data streams and "slack space" or "cluster tips"? If it can't detect something in the latter it isn't much good, I would have thought?

    I am not yet sure where I would go from here

    On my desktop machines I usually set the Registry value to have Windows overwrite the page file on shutdown. That isn't realistic with a server which is on 24/7

    At this point I would set the page file to minimum size. Because this is used by Windows for mini-dumps, I guess malware would not be able to access it.

    I would then run "Eraser" [link below] to wipe "free space" as this would get what what was in the former page file and it also wipes alternate data streams and cluster tips.

    That then leaves you with the question of how this is happening? It really has to be something that they are not scanning? Possibly:

    1. Portable storage media
    2. Portable devices
    3. Printer Servers
    4. Mail Servers.............sure the e-mails are scanned, but what about the server itself?
    5. "Orphan" clients (PCs in conference & training rooms, libraries, reception areas etc.) These are sometimes overlooked when nobody has direct responsibility for them?

    Good Luck!

    EDIT:

    http://eraser.heidi.ie/

    Works with Windows 98, ME, NT, 2000, XP, Vista, Windows Server 2003 and Server 2008. Eraser is Free software and its source code is released under GNU General Public License.
    EDIT 2:

    Sorry ByTe, you did title your post "examining" so here you go:

    http://www.jsware.net/jsware/sviewer.php5

    A tool for examining ADS and deleting nasty stuff. Sorry, but it only works with NT4.0, 2000, XP and 2003 Server.

    This one will work with Vista and Win 7, but you have to pay $11 for the commercial version that lets you delete stuff. I think it is called "ADS Scanner Engine".

    http://www.freesoftwaretoolbox.com/repository/

    Whilst you are on that site you might like to scroll down and get "Hidden File Scanner". It is the same deal as the one above...."Look for free, pay to touch"

    Hidden File Scanner also does a quick scan at start up to detect the appearance of autorun.inf files on all devices including removable medias. If such an autorun.inf file is found, a dialog box will pop up where you can either delete, unhide or inspect the content of the autorun.inf. This tool will automatically rate the autorun.inf files as normal, hidden, suspicious or dangerous file.
    I am sorry, but I don't know of a utility to examine cluster tips. I guess I would use a Hex Editor or Disk Investigator.

    http://www.theabsolute.net/sware/dskinv.html

    It works with 2000 and XP but I don't know about 2003 Server.
    Last edited by nihil; January 3rd, 2010 at 01:34 PM.
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  2. #12
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    Nihil all these files have a path! If they are in the swap file (which if I am not wrong cannot be scanned by an AV) the path would be to that file. I am sure they are not in the RAM because I know what's loaded onto the memory (It's highly unlikely that a VBS and INI files are loaded in the memory and I cannot see them). I've used systeminternals to go through the current processes and all the files attached to that process.

    I am planning to have a meeting with some senior Symantec engineer who can assist us ruling out a product glitch (which would be really pathetic). Every time I open a case with Symantec I have to run the stupid load point analysis and diagnostic tool.. LONG STORY !


    Anyway I've uploaded few jpeg's showing the scan window and the file names. I’ll hopefully sanitize the longs so I can upload them here. Because ADS and other logs have come back with lot of data but not a single file which looks suspicious.


    Thanks again mate. I'll go through your post again tomorrow (today).. I'm sleepy, it's (originally 001114 Hrs before i started uploading the print screens) 0125 Hrs here.
    Attached Files Attached Files
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  3. #13
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    I spent 10 minutes trying to get 2 print screens up. Either it's me (sleepy) or the attachment policy that needs an overhaul.
    Attached Files Attached Files
    Last edited by ByTeWrangler; January 3rd, 2010 at 08:01 PM. Reason: attached the same zip file. Sleep. Need.
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  4. #14
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    Hi there ByTe,

    Please check your Private Messages.............I have sent you an e-mail address that accepts attachments up to 10 megabytes. We might find that useful in future?

    I will raise the issue of attachment policies, as we have reverted to the vBulletin defaults since the " night of the great upgrade"

    Obviously, I do not want to take discussions "offline" of the forums.....it is simply an issue of how to handle data over a long distance. Hey, ByTe, you must be about 9,000 miles away from me?

    Now, to the case in hand:

    ByTe, are you saying that Symantec is reporting malware at a particular location (path) and that when you go there, you cannot find it?

    I am planning to have a meeting with some senior Symantec engineer who can assist us ruling out a product glitch (which would be really pathetic)
    Hmmmmmm......................................

    OK, let's have another look?

    1. Malware might attack a normal ( visible) system by three basic methods:

    a) append to an existing item
    b) prepend to an existing item
    c) inject into an existing item

    2. Your AV is finding stuff that quite sophisticated analytical tools can't?

    What are the Symantec messages?

    Johnno
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  5. #15
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    I've presented my report. Basically (preparation, detection, containment and current analysis). I'll update soon (possibly 2 or 3 days). I met a symantec rep who wasn't too happy with the findings, nor was the central anti-virus head; knowing we had almost ALL servers down with the same thing.

    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  6. #16
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    I am not sure if anyone has paid any attention to this but since this incident involves Windows Server 2003, I have to compile a report on the security aspect of the OS itself.

    I was going through secunia to see how many vulnerabilities have been reported and so on and honestly this shocked me. There are - 14 unpatched vulnerabilities!. I was hoping Microsoft to be little more responsible towards server grade OS's but no! I just wanted this to be a part of the thread since it might help someone else prepare a report. Also my break-in (or at least the date i noticed it) was close to some popular site's getting DDOS'ed. While these servers have been infected in the past without any reasonís being found. It is still worth noting.
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  7. #17
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    I wanted to get few files for analysis and I tried using Knoppix live CD but it didn't work because for some odd reason knoppix is not able to mount the drive. Server uses a SCSI interface.

    I get the following error, anyone who can assist please let me know.. I will google it once i get home (leaving office right now)


    (i)org.freedesktop.hal.device.volume.unknown(/i)

    I was using Knoppix CD version.
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  8. #18
    Banned
    Join Date
    Nov 2002
    Posts
    677
    Quote Originally Posted by ByTeWrangler View Post
    (i)org.freedesktop.hal.device.volume.unknown(/i)

    I was using Knoppix CD version.
    I believe there is an easy fix for this. At the boot prompt, type in "knoppix noideraid" without the quotes.

    Knoppix cheatcodes

    The ftp site I gave you should have the latest and great copy of that LiveCD. Just edit the ftp URL to "ftp://ibiblio.org/pub/linux/distributions/knoppix"

    If you need additional modules for starting controllers needed at boot
    time, just copy the corresponding *.ko files from /lib/modules/* over to
    /modules in the initial ramdisk (remaster needed).
    You will need to uncompress initrd to a temp directory; make your changes; compress back into a initrd image; remaster the CD. Initrd howtos are available on the interweb.
    Last edited by Linen0ise; January 16th, 2010 at 08:10 PM.

  9. #19
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    Sad as it is. Spending new years eve and other time doing stuff that ... (anyway)


    This is the reply from Symantec:

    *******************************************************************
    > Question/Issue:
    How does Active (Quick) Scan function?
    > Symptoms:
    Active Scan is scanning files that cannot be found on my machine.
    > Cause:
    The file is not located on the machine, it is part of a script of most common file types, viruses, and file names that the active scan is searching for on your machine.
    > Solution
    The Active Scan, scans the system memory and all the common virus and security risk locations on the computer very quickly. The scan includes all processes that run in memory, important registry files, and files like config.sys and windows.ini. It also includes some critical operating system folders.
    Memory Examples:
    - The processes that are located in Task Manager.
    Common infection locations and viruses would be for example: - C:\Windows\System32\dll.dll
    Common registry keys Example:
    - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Scans the common infection locations in addition to all files or the types of files or directories that you selected
    These locations are all well-known virus and security risk locations in addition to all files or the types of files or directories that you selected. This will quickly assess if your machine has one of the more common viruses located in the common locations.

    ******************************************************************


    There is still 2 servers with confirmed infection, i'll send updates as we progress from here.
    Also these files showed up while full scan, that is due the fact (feature) that all full scan's start with active scan.
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  10. #20
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    Hi there ByTe,

    I would say that what you are seeing whilst the scan is in progress is what it is scanning FOR, not the files actually being scanned.
    (post #4 in this thread)

    The file is not located on the machine, it is part of a script of most common file types, viruses, and file names that the active scan is searching for on your machine.
    Looks like my initial suspicion was pretty much correct then?

    Nice to know how it works.............I am sure to come across this, and now, thanks to your efforts, I have some sort of an answer.

    Cheers
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

Similar Threads

  1. Windows Error Messages
    By cheyenne1212 in forum Miscellaneous Security Discussions
    Replies: 7
    Last Post: February 1st, 2012, 01:51 PM
  2. Central Secure Logging in a Win2k Environment
    By Tiger Shark in forum The Security Tutorials Forum
    Replies: 5
    Last Post: March 4th, 2004, 04:00 PM
  3. Understanding DoS
    By NullDevice in forum The Security Tutorials Forum
    Replies: 21
    Last Post: December 17th, 2003, 09:03 PM
  4. Newbies, list of many words definitions.
    By -DaRK-RaiDeR- in forum Newbie Security Questions
    Replies: 9
    Last Post: December 14th, 2002, 07:38 PM
  5. How To Set Up An IRC Server (IRCD) Tutorial
    By Dome in forum Other Tutorials Forum
    Replies: 11
    Last Post: August 21st, 2002, 03:38 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides