Ive been hacked, what now?

[pixelp]

10/5
Im new to W2K servers so bear with me. Im used to Unix OS.
Im helping a company out with thier 2000 servers. Their C drive is full,
in cleaning up I noticed that Inetpub/scripts has over 42,000 script files,
most starting with TFTP or something like that. I have determined that
this area is for ftp access and understand that this is where hackers can
get info.
Can I delete these files? What are they? If its from hackers can I do
some more research to determine from where? This company has
been suspicious of hacker attacks so its possible.
I guess my overall question is can I delete these and if not what are
they used for? Seems excessive.....
Thanks for any info!

10/6/01

Ok, heres an update of what I have found out so far.
We were indeed hacked on Sept 18th, 2001. The hacker apparently wanted to change our default.html but we do not use our W2k server as an IIS Server so it went unnoticed until the C drive filled up.
The C drive was full of Trivial File Transfer Protocol files in /Inetpub/scripts
I have moved them off that drive for now to isolate them but all the default html files are now his obscene webpage.
I also noticed an Admin.dll file dated the same day. My other server does not have the .dll file on it so now Im wondering if I need to delete this as well to prevent further floods of the TFTP files.
Im checking into firewalls now but Im seriously considering shutting off the ftp port. But I have no idea how to do that. Any help is greatly appreciated!

 

[Kento]

I have no experience with win2000 but admin.dll was probably installed by the Nimda virus.

http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html

If that link is broken just copy and paste it into your address bar and press enter.

If you have no firewall then I suggest you get one pronto. Zone Alarm and Tiny are very good. Stay away from Black Ice Defender though.

http://www.zonelabs.com

http://www.tinysoftware.com/pwall.php

 

[Kento]

Here's that link again:

http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html

 

[waynemaples]

Irregardless of the operating system, unless you are running
Tripwire or similar software, I would reinstall the box from backup tapes. The issue then becomes determining when the box was compromised.

How sure are you that the hack was not successful or if it was, that any particular cleanup utility will find all the backdoors? How critical is the box? Its not a black/white decision but a matter of informed choice.

Tripwire:

http://www.tripwire.com/

-Wayne
ContentMaster
Tips for NT/W2K/XP Admins and Users
Penetration Testing/Hacking Tips for Admins

http://is-it-true.org

 

[pixelp]

Thank you so much for the comments here! Sorry I havent responded but Ive been busy cleaning up!
Update --- we did indeed have the Nimda virus so I downloaded the removal tool and ran it until it was clean. I then also ran the CodeRed virus removal as this virus leaves a backdoor that the Nimda virus uses. I found that we also had this virus as well.
I ran the removal successfully and the good news is that the Code Red virus was NOT on the memory. I also removed all .html and .asp files that were defaced.

Now heres whats happening. I believe the Nimda virus is removed however it is using either the riched.dll for Word or Outlook to propogade a .eml file. I have found hundreds of them on the server and the individual pc's. I have successfully deleted them however they continue to propogade via the network.

So heres what Im doing:
-- We are disconnecting ALL pc's on the network
-- Running Nimda on the server until clean and remove all infected .eml files
-- Deinstalling Word on pc
-- Running the Nimda virus removal on pc
-- Search all drives for the .eml file and remove on pc
-- Run Nimda virus removal again until clean on pc
-- Install new copy of MSword
-- Hook back to the network once all other pc's are clean.

Does this make sense? Have I forgotten something? This company is adament that they cannot go back to the backups before 9/18... too much data loss. I have advised them that that still may be the only way but Id like to try all avenues before that.
Is there anyone I can call for more info or help? Symantec etc?

Thanks for any/all info!! I really appreciate it.

 

[chiph]

One additional step -- make sure every PC and server have up-to-date antivirus software installed. Configure it to automatically upgrade itself. Otherwise as soon as one of your rocket-scientist users opens an email attachment, you'll have to go through the whole cleanup process again.

Chip H.

 

[Kento]

Did you extract a new Riched20.dll file? See the manual instructions shown here about 3/4 of the way down:

http://securityresponse.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html

 

[pixelp]

Yes, I forgot to mention those.
You do need to delete any Riched20.dll files that are current. Any pc that had it dated after 9.18.2001 we deleted and then reloaded the 6a NT Service Pack for a clean .dll and all the secutiy patches as well.
I was told I should also load the Security 6a Rollup as well since that has even more patches SINCE the Service Pack release.
All and all I think we have it nipped in the bud now! Took a lot of time and had to be systematic about it but the schedule I outlined before worked well except for my forgetting to add the deletion of the .dll's. You definitely HAVE to do that too.
Only had 3 pc's that had corrupt .dll's.
I have loaded Norton AntiVirus Corporate Edition 7.5 on their servers and each pc. It comes with antivirus for the exchange server as well and I plan on putting it on their too. From what Ive seen of this product I really like it! You can centrally manage all the clients from the server, its pretty cool and convenient. AND it fixed a bunch more W97 viruses they had out there.

Thanks for all the help and suggestions, it definitely got me going in the right direction!
I plan on using this Forum all the time and I check it often for all the good info.
So I'll be back....

 

[todobear]

Just to add to this thread:

We have had exactly the same experience on a 2K server setup, and it took over a week to get things back up and working properly.

The main issue was not getting rid of Nimda, it was that AFTER we did so, the system would start spewing spam within moments after restarting SMTP services. Apparently, even tho relay was completely off, we were an open target. Several servers were shovelling data at us on high ports, which was then turning around and going out on port 25. The client is on IDSL, which was effectively at about 4kbps with all the spamming - fortunately, since this is what brought it to our attention immediately!

We were able to control the problem by closing down the router to the minimum required for them, but we are still working on the box and trying to figure out how the relaying is coming in around the restriction.

Michel Bolsey