Check out RootKitRevealer from SysInternals
http://www.sysinternals.com/Utilities/RootkitRevealer.html
It is freeware and interesting software. Will help you check out if you have
any rootkits installed on the box.
Also make sure to look at successful logon events, failure will happen often
when you leave your box opened to the net...
-----Original Message-----
From: Paul Greene [mailto:techlists@comcast.net]
Sent: November 12, 2005 12:19 AM
To: focus-ms@securityfocus.com
Subject: break in?
Hello,
I have a Win2K domain controller running on my home network that had Terminal
Services enabled through my firewall so that I could
access the box from my office at work. I had configured the firewall to only
all TS access from the IP block of the company where I
work. (the firewall is an openbsd box that also acts as the gateway to my ISP)
Well, I went out on a road trip and allowed TS access from "any" so that I
could access the DC from my hotel room, and then forgot
to restrict access again when finished. Ooops!! Big mistake.
I was looking through Event viewer troubleshooting another issue a few days
ago, then noticed a whole bunch of failed administrator
logins in the security logs. Oh, crap what happened now. I ran Symantec AV,
Spybot search and destroy, and Adware and none of them
found anything. I ran MS Update service and realized I was out of date on
several patches (going back about 2 months worth of
patches).
Another ominous sign was that the DC had two printers configured that I use at
the office, but I have never configured a printer for
this DC. I deleted the printers, and they came right back.
I wanted to see what was going on with the DC, so rather than wipe it clean and
re-install, I locked the firewall down real tight
and started logging everything to see if the DC was going to try to "phone
home"
somewhere. I'm only allowing outgoing http access to the MS Update site, and
outgoing DNS queries (UDP port 53) because this is also
the dns server for the network.
More ominous signs. The server was trying a few times a day to make connection
attempts to some outbound websites and ftp sites.
Some of the IP addresses were located in Rumania and Poland. All connection
attempts were getting blocked and logged.
Based on these symptoms, can anyone tell me what happened? In particular, for
educations sake, can anyone tell what the specific
exploit that was used in this case, and possibly a reference where I can go
analyze further what happened?
I don't have anything especially valuable on this server, so I won't lose much
by wiping it and starting over again. I think I've
also locked it down enough now with firewall ACL's that some turkey isn't going
to be stealing my bandwidth for some nefarious
purpose either.
Thanks in advance,
Paul Greene
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
