Hi
I do not know, if this is the right board to submit this tread.
I would like to inform you what happens if you´re not careful enough to read your logfiles .
let me be more specific :
I run my own office ( it contains 4 NT 4.0 server and 17 workstations ( W2K and mostly NT4.0 WKS)
3 of the 4 Servers running around the clock. The 4th server is a Ras Dial-in Server, wich can only be activated via telephone switch ( the server gets power and comes up ).
1 domaincontroller and 2 bdc´s.
I am using a broadband internet connection. on every wks, the tiny firewall runs as aapplication firewall. since those clients do not enter the internet, I thought, it would be enough.
Whenever I am in my office, there are two workstations with the most run up time, one copystation and a special prepared nt 4.0 workstation with tiny firewall and conseal , IE6 browser whith high security level ( java disabled and so on. ) and the cleaner as trojanscanner with activated tcative tool ( process viewer ). with this machine , I use the internet.
now let me tell you why I am at the moment under war conditions:
On Saturday I checked the conseal firewall log and found a outgoing connection from local port 1029 to port 80 ( internet) to a unknown Ipaddress. I checked with ripe.net whois the owner of the ip range. well it points to Czechoslovak. I am located in Germany ( as you can see in my profil). a little research on trojan websites discoverd the incommand trojan , which uses this port.
I rebooted the system and there it was again this outbound connection ( trough port 80 !! a firewall penetration ).
well, from version 1.0 to version 1.06beta2 Incommand no signs of the special serverfiles in my system or registry. So I thought go ahead us "the cleaner" and scan the system for trojaner ).
BUT : the cleaner could not come up, because the trojan database file could not be loaded.
I deinstalled the cleaner and tried to reinstall it ( registry was clean and no files left on the hdd). again, no trojan database could be loeaded. Then I surfed to Moosoft to get a clean new copy of it ( I have a licence for ithe cleaner) , but the Ie6 has been manipulated, so I cannot load anymore files from the internet.
this machine has been severe manipulated, so I took it from the network, and I am going to do a clean install , because at the moment I cannot find the tool or registry entry which connects to the internet. I do not trust this system anymore.
anyway, this morning I installed the visnetic firewall , the sequel to the conseal firewall on the copymachine. after reboot, there was a outgoing connection as well but this time local port 1039 to port 80 internet again to this Czechoslovak ipaddress. no sign so far what the reason for this connection is. the cleaner find nothing. with
visnetic firewall , I blocked this conneciton. on the copymachine, there was the md5 signature of the ie5.5 hampered. so I assume, the intruder got this machine as well under his control.
conclusion ?
I informed the Czechoslovak IP Range holder (ISP ) about this intrusion ( but I think they dont care.. well its different to germany, if you report someone here in Germany and you have the logfiles, this person faces severe punishment ( up to three to five years jail according to the german telecomunication law )
well first I am going to install my hardware firewall gatelock 200x from trendmicro. the combination of hardware and software firewall is a good protection
second I will make a clean install of those two machines
third, I change the Ipadress range of all machines ( have to because the gatelock needs a special ip range )
fourth, On all Server I raise the security and install a aditional firewall ( conseal or visnetic , its a licence cost question :-) )
next, I change all Passwords
sixt, I dump the cleaner it does not work at all for me.
I am going to post the ip address from Czechoslovak here, maybe someone had the same experience.
I you have advices or tools which you are recommend, believe me, every tip and hint or assistance is warmly welcomed. If you have more info about this ports do not hesitate and post it to me.
I hope I can close this hole until saturday ( its a dam hard work to bring up 21 machines to a high level of security especially when I change the IP range , all firewall rules have to be changed to the new range, checked and tested against each other ).
What ever you do, to increase your security, it looks like its not enough.
Thank you Czechoslovak intruder, you really made my day .
greetings m.
