.

I need help our servers are been attacked

<<

vg12

Newbie
Newbie

Posts: 2

Joined: Fri Feb 22, 2008 9:36 am

Post Fri Feb 22, 2008 9:43 am

I need help our servers are been attacked

I'm not a Hacker I'm a programmer. I work for a small web company and recently we been attacked by somebody.
We think it a Root kits viruses which infected our servers. We can find how do they infect our servers. And simply removing them using antivirus software is not working to good.
They are modifying some of our source files. [.js or asp] also upload a files to the server. [.asa].
We think we rule out the SQL injection we had some prevention in code for that and some of our severs had ftp ports completely closed on  our firewall

Here are the 3 Trojan/Viruses that are on our servers. They all seem to do the same things.

http://www.paretologic.com/resources/de ... ojan&nbsp; HuPigeon YII
http://www.paretologic.com/resources/de ... ojan&nbsp; BHO N Trojan
http://www.paretologic.com/resources/de ... 0Feutel-AM Trojan Feutel-AM

I will take any recomendations and would really appreciate your help.
<<

morpheus063

User avatar

Sr. Member
Sr. Member

Posts: 393

Joined: Sun Jun 25, 2006 10:08 am

Location: Cochin - India

Post Fri Feb 22, 2008 10:37 am

Re: I need help our servers are been attacked

Hi vg12,

Assuming that you are not going for any legal action against the hacker who got into your server, what i would suggest you is:

-> take a backup of your log files,
-> format the system (do it only if you are unable to remote the rootkits and trojans)
-> restore from a backup and apply the patches to secure the system.
-> Go through the log files that you have backed up in the first step and find out how the hacker got into the system and fix it.

These are going to be the initial steps.

All the best.
Manu Zacharia
MVP (Enterprise Security), ISLA-2010 (ISC)², C|EH, C|HFI, CCNA, MCP,
Certified ISO 27001:2005 Lead Auditor

[b]There are 3 roads to spoil; women, gambling & hacking. The most pleasant with women, the quickest with gambling, but the surest is hacking - c0c0n
<<

CadillacGolfer

Newbie
Newbie

Posts: 36

Joined: Thu Dec 14, 2006 1:58 pm

Post Fri Feb 22, 2008 12:46 pm

Re: I need help our servers are been attacked

I agree with Morpehus.

If you do want to pursue things legally, you should quickly hire a firm experienced in incident response and forensics, as it sounds from your post, your company does not have this in house capability.  And is this is the case, you should stop your attempts at any removal as you may be destroying evidence.

As Morpheus mentioned, I think your best bet is to completely rebuild the system from scratch being sure to apply all necessary security patches for the OS AND any applications running before allowing access again from the interent.  Careful with restoring anything from backups as it may be difficult to dtermine when exactly the machine was compromised and you may be restoring infected files.

you mentioned that ftp is not allowed from your server to the internet.  However, from the quick googling i did on these trojans, at least one of them has the ability to connect over http to a malicious server on the internet.  I would think you need to allow inbound http and established replies, but there is probably no reason to allow outbound http from the server, if there is a reason, you should limit it to only the IPs required.

Also based on my quick googling, it looks like the malware you mentioned does not have a propagation mechanism in and of itself.  You might want to look at if an administrator or someone else recently downloaded and installed something from the interent, this may have been the initial infection point.  Of course, someone could have written something to exploit a vulnerability and dump these trojans so its hard to say, but still something to look at.
<<

Bogwitch

Jr. Member
Jr. Member

Posts: 51

Joined: Wed Aug 16, 2006 3:29 am

Post Sun Feb 24, 2008 6:18 pm

Re: I need help our servers are been attacked

As mentioned earlier, a full re-install would be in order. It is imperative that you ascertain the source of the problems, else you are doomed for history to repeat itself.

It may be worthwhile to employ a professional to diagnose the sequence of events that led to your infection, there are many attack vectors that would not be obvious to a lay person.
CISSP, C|EH, C|HFI
<<

pseud0

User avatar

Recruiters
Recruiters

Posts: 210

Joined: Sat Nov 17, 2007 8:26 pm

Location: Detroit, Michigan

Post Mon Feb 25, 2008 8:17 pm

Re: I need help our servers are been attacked

Wow, fun week for me to be gone.  vg12, PM me on this if you need more help.  I've spent more time in this arena than I care to remember.  In the short run, the advice you've people have posted here is a very good start.  The basic logic is that if the availability of those systems are more important to your business than tracking down someone to punish, then nuke the hard drive and drop a fresh OS onto the system.  Be very, very careful using backups to reinstall unless you can pinpoint when you were infected and can get a backup from before that point.  Also, don't trust the data on your system.  Just because you put a shiny new OS onto the box doesn't mean you are safe to copy data files or third party apps from the infected system.  I've seen people do that a million times.  When you are trying to figure out where this stuff came from, don't forget to look outside the infected system.  Check firewall and router logs that would show traffic to that box.  More often than not that will give you hints as to how they got onto your system, and they are more trustworthy than the logs on the compromised system.  Your first issue should be to identify the infection source, and it is usually going to fall into 3 areas:  infected file executed on the system, a host based attack aimed at the OS, or an application level attack.  If it was an infected file of some type, you are going to have to try and find evidence in the system logs.  You might also find evidence in your router or firewall logs of the tools trying to "call home" after the infection occurred.  If it was a host based attack your efforts will fall evenly between system and network logs.  This is where you'll see someone or something launching attacks against specific to a certain OS.  Application level attacks are similar in that they might go to certain ports, but the big focus here should be anything over your http ports (80, 8080, etc).  This is where you will usually see people throwing "the kitchen sink" at the web applications.  It is pretty common to see hundreds of attacks within a couple of minutes, usually SQL/CRLS/LDAP/etc injections and cross site scripting as well as IIS and Apache attacks.  All that being said, the safest thing to do is nuke that hard drive, install a new OS, and rebuild your data.
CISSP, CISM, CISA, GCIH, GREM, CEH, HMFIC, KTHXBIROFLCOPTER
<<

vg12

Newbie
Newbie

Posts: 2

Joined: Fri Feb 22, 2008 9:36 am

Post Tue Feb 26, 2008 2:42 pm

Re: I need help our servers are been attacked

Thanks for all your posts guys.
I have no problem rebuilding a server except I want to find how they got in into our server first.
What is the point for rebuilding if they will comeback
My server was up to date on Windows updates, all the ports where locked except 80, 25, and 443.
Server is behind firewall. The only thing we did not have any antivirus or spyware protection on.
But on this note we don’t browse the internet on that server
<<

pseud0

User avatar

Recruiters
Recruiters

Posts: 210

Joined: Sat Nov 17, 2007 8:26 pm

Location: Detroit, Michigan

Post Tue Feb 26, 2008 3:19 pm

Re: I need help our servers are been attacked

Well, that helps narrow it down.  Few more questions:
-How exposed is this system?  Boundary router?  Internal VLAN?  Behind a firewall that allows access to port 80?  Is that SMTP traffic internal only?
-What are you running on this system?  Is it a web server?  Mail sever?  Backend/frontend for a distributed app? 
-Was someone working off of the system?  Could they have received a file via email or download that might have been infected? 
-Can you give us an idea what logs are available?  System logs as well as network devices? 
-Are you seeing any efforts from the infected system to reach outside of your network?  Are you seeing any efforts from the infected system to reach out and propagate itself by infecting other systems?
CISSP, CISM, CISA, GCIH, GREM, CEH, HMFIC, KTHXBIROFLCOPTER
<<

Bogwitch

Jr. Member
Jr. Member

Posts: 51

Joined: Wed Aug 16, 2006 3:29 am

Post Tue Feb 26, 2008 3:36 pm

Re: I need help our servers are been attacked

In addition to pseud0's questions:
Does your firewall allow connections out initiated by the server?
What web server are you running? Is it up-to-date?
What hosted apps do you have? Any cgi stuff? Up to date? Commercially available? In-house?
Any database?
Are workstations/ other servers on the network segment similarly affected? Have they been scanned? Are they clean?
Do you have any suspects (external or internal)?

From this point on, it's all about the logs, if you have them. Without logs it's likely to be a guessing game.

If you want a full investigation, you might want to take a bit copy of the HDD prior to rebuild. If you were planning to use this as evidence for prosecution, get legal advice or enlist the help of a professional computer forensics company although it may already be too late.
CISSP, C|EH, C|HFI
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Tue Feb 26, 2008 6:10 pm

Re: I need help our servers are been attacked

Did you run Nmap to see what ports were open? There may have been services that you didn't realize were running.

Do you allow rdp for remote admin tasks? Do you allow it for all of your admins? You may be certain that you do not surf the web on it, but are your absolutely sure no one else does?

Don
CISSP, MCSE, CSTA, Security+ SME
<<

blackazarro

User avatar

Sr. Member
Sr. Member

Posts: 368

Joined: Sun Aug 13, 2006 5:31 pm

Post Tue Feb 26, 2008 10:40 pm

Re: I need help our servers are been attacked

Hey what about USB drives?

You don't know how many times in my company we detect admins, technicians and consultants infecting servers because of USB or removable media. Not sure if you have protection for this.

I use USBDeview to view the history of all removable media inserted to a particular remote machine and correlate this data with the date and time of the incident. This tool is free and it also can be use as a command-line option for your scripts.
Security+, OSCP, CEH
<<

pseud0

User avatar

Recruiters
Recruiters

Posts: 210

Joined: Sat Nov 17, 2007 8:26 pm

Location: Detroit, Michigan

Post Wed Feb 27, 2008 9:15 am

Re: I need help our servers are been attacked

That's a good idea and restricting mobile media should always be in place, but if it actually dropped something onto your system then you can't trust the time stamps you are going to pull back.  A bunch of the new malware suites are doing time stomps on infected files and the registry keys that record when pieces of media were inserted.  This really screws up your forensics analysis and makes it difficult to put a timeline on what the hell happened to your box.  Plus, it makes your job really, really hard if you try to turn anything into evidence.
CISSP, CISM, CISA, GCIH, GREM, CEH, HMFIC, KTHXBIROFLCOPTER
<<

Kev

Sr. Member
Sr. Member

Posts: 428

Joined: Sat Sep 29, 2007 12:26 pm

Post Sat Mar 01, 2008 3:06 am

Re: I need help our servers are been attacked

Yes, I would agree to reinstall.  The first thing I do in a situation like this is to run Nmap and see what is connecting from the outside.  This almost never gives up much info other than some high jacked box in some remote place, I mean if the hacker has any skill at all, but you need to track it any way just to be complete. Heck, you never know, it could be the one in a million chance and its the guy next door. In some cases I have a company reinstall quickly and I have taken the infected copy and run my analysis to see where the vulnerability was. Not an ideal situation, but they got up fast and I was able to locate the problem.  Just keep in mind that a reinstall is not the complete solution. You really need to know how it happened in the first place. 
<<

LSOChris

Post Sat Mar 01, 2008 6:49 am

Re: I need help our servers are been attacked

vg12 wrote:I'm not a Hacker I'm a programmer. I work for a small web company and recently we been attacked by somebody.
We think it a Root kits viruses which infected our servers. We can find how do they infect our servers. And simply removing them using antivirus software is not working to good.
They are modifying some of our source files. [.js or asp] also upload a files to the server. [.asa].
We think we rule out the SQL injection we had some prevention in code for that and some of our severs had ftp ports completely closed on  our firewall

I will take any recomendations and would really appreciate your help.


you sure it wasnt SQL Injection? do you allow file uploads to the web server? how about RFI in the web app? lots of ways of in.  all the apps to include third party stuff up to date?

from a IH perspective have extra accounts been created, are the connecting back in? what does netstat say for listening ports? what do the web server logs say? you should see the SQL attack in there.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 2 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software