RichardParry
IS-IT--Management
Hi All,
A number of our customers' systems have been compromised by an unknown attacker, through an unknown method. These servers are running 2k3 SR2 w/ SP1 and 2k3 w/ SP1 (non RC2), all have latest AVG File-Server 7.5 AntiVirus, Latest Windows Updates for OS & Hardware, but both had been compromised in the same way, a user named "backup" (lower case) was created and assigned to the Administrator group. These servers are all protected by a hardware firewall, including the local Windows firewall, so RDP traffic etc is not allowed outside of the network, and the only outgoing access from each server to the net was HTTP, HTTPS and SMTP (DNS and NTP are only allowed through specific IP's). The incoming ports on each server are as follows, FTP HTTP HTTPS POP3 SMTP DNS "Plesk Admin"
I believe the compromised application was MailEnable Standard mail server software on both systems, as the POP3 Connector would go down and couldn't be started until the "backup" user was removed. I have since upgraded every software applications to the latest versions on each system and monitored very closely the traffic on each system - each seems to be fine.
I have also ran RootKitRevealer, HiJackThis, Full AV scan and all seem fine. I also checked the Services list and there is nothing suspicious, going through every item and checking the referenced file's signature. All non-required services are stopped and disabled and all services on Manual start, but Started were checked and all are fine. I have confirmed on each system that outbound access on non-allowed ports (other than above) does not work, so any ports opened that may attempt to connect to an external system won't happen.
I have also monitored running files (through Microsoft's FileMon application) and can confirm all applications run through the Task Manager etc.
Is there anything you may suggest I look at further, or additional tests that I can run to see if there is something still lurking on each machine?
Btw, the main administrator user was renamed and all passwords on each system has a strong 10 character password, made up of upper and lower characters, along with numbers.
Many Thanx, Richard
A number of our customers' systems have been compromised by an unknown attacker, through an unknown method. These servers are running 2k3 SR2 w/ SP1 and 2k3 w/ SP1 (non RC2), all have latest AVG File-Server 7.5 AntiVirus, Latest Windows Updates for OS & Hardware, but both had been compromised in the same way, a user named "backup" (lower case) was created and assigned to the Administrator group. These servers are all protected by a hardware firewall, including the local Windows firewall, so RDP traffic etc is not allowed outside of the network, and the only outgoing access from each server to the net was HTTP, HTTPS and SMTP (DNS and NTP are only allowed through specific IP's). The incoming ports on each server are as follows, FTP HTTP HTTPS POP3 SMTP DNS "Plesk Admin"
I believe the compromised application was MailEnable Standard mail server software on both systems, as the POP3 Connector would go down and couldn't be started until the "backup" user was removed. I have since upgraded every software applications to the latest versions on each system and monitored very closely the traffic on each system - each seems to be fine.
I have also ran RootKitRevealer, HiJackThis, Full AV scan and all seem fine. I also checked the Services list and there is nothing suspicious, going through every item and checking the referenced file's signature. All non-required services are stopped and disabled and all services on Manual start, but Started were checked and all are fine. I have confirmed on each system that outbound access on non-allowed ports (other than above) does not work, so any ports opened that may attempt to connect to an external system won't happen.
I have also monitored running files (through Microsoft's FileMon application) and can confirm all applications run through the Task Manager etc.
Is there anything you may suggest I look at further, or additional tests that I can run to see if there is something still lurking on each machine?
Btw, the main administrator user was renamed and all passwords on each system has a strong 10 character password, made up of upper and lower characters, along with numbers.
Many Thanx, Richard
