We cleaned up all of these machines and rebuilt each
of them from
scratch, with all the latest patches. The IDS/IPS at
the edge of our
network, does not seem to be catching the bots which
are causing
these.
When you say IDS/IPS, which are you referring to? If
IDS, remember...they are signature-based. One of the
biggest problems with employing such a technology is
not understanding that it only detects those things
that it has signatures for...
After one week, I have 50 machines which are
compromised by the same
bot, and some of them are the same as the previous
list of machines.
That tends to happen in situations in which no root
cause analysis was done.
Now a host-based firewall is a very tough option
for us, since we are
a university with around 30,000 computers and under
different
departments. Does anyone know what bots are causing
these and any IDS signatures for these.
Well, given the banner you provided, it would seem
that you could write one of your own. Does your IDS
product provide the facility for such a thing?
We are using a couple of IDS such as snort and
Dragon and Intrushield, Any help for this is
appreciated.
My earlier question was rhetorical...
I did have a look at one of these
machines and from what I see, there are a couple of
files which seem to be causing this.
there is a csmss.exe file which is listening on the
port 6544.. The
machine is also running a remote server.
before csmss.exe, a file ServNT.exe seems to have
been executed, which
might have caused a sequence of events.. there is a
batch file , which
using the registry runs a remote admin server at
startup. then we got
a number of files which are used to show the banner,
hide the files .
If I could find out how did they get inside the
system, because most
of the infected machines were running fully patched
Windows XP with
latest Norton Antivirus definitions.?
Patches aren't the be-all-and-end-all...there's more
to security than that. There are other avenues into
systems such as email and the browser...avenues that
may not be covered by patches.
All of those machines are running either Windows
2000 professional or XP professional.
2 machines wer analysed, one of which was completely
ptched and had
all the latest virus definitions from Norton,
another machine was not
patched and no virus updates were present.. But the
state of affairs
at both the machines was the same.. themessage sent
before contains
the details..
on more analysis, I found csmss.exeto be a part of
W32.Dedler
Trojan.. but how it got inside the system is
anyone's guess..
Perhaps not...I went to the Symantec site and looked
up "Dedler"...it's not a Trojan...it's a worm.
http://securityresponse.symantec.com/avcenter/venc/data/w32.dedler.worm.html
Interesting thing about the write-up at the site:
"4. Copies the following files to open network
shares:"
There wasn't any detail in your description regarding
your domain setup, but maybe that helps a little bit
in explaining how so many systems were infected. I
know the Symantec writeup doesn't jive exactly with
your description, but based on what Norton detected,
it's a start. It might also go toward explaining why
so many machines were reinfected...
None of them was running IIS.
Ok...I'm not sure where that plays into all this...but
ok...
Good luck.
