We are running win2x Server SP2 with all the hotfixes applied (thanks to hfnetchk.exe). Yesterday when I came into work (for my dad) the Internet connection was down. Needless to say, no one was happy, so I called the ISP. Their service was up, but when they logged into our router, they noticed the problem. Something was filling up all out NAT sessions. All the request came from one IP on port 6667 (IRC port). after about 1-2 minutes all 250 NAT sessions would become tied up and no one else could access the Internet As a quick fix, I shut down the PC that was causing all the NAT sessions. Unfortunately it is our Win2k server which runs the website, ftp, listserv, and Great Plains accounting stuff. So it's a critical PC. I installed ZoneAlarms free firewall (via a CD so the server didn't get on the network causing more chaos) and then after a configuration, I reconnected the server to the network. Slowly enabling different programs Internet access, I got to the point where accounting could run great plains again, and all the other servers were up. There is a suspicious exe on the server in the c: drive, mipckov.exe, and it tried to access the Internet I have no clue what this is, but when we ended it's task, and took it off the server (it's backed up) nothing seems broken. I uninstalled zone alarms yesterday and everything has been running smoothly. That is until after lunch. We re-ran the mipckov earlier this morning because accounting was having a problem, but running it didn't solve the issue, not did it seem to break anything. When the Internet went down, that exe was running and I killed it, and have again deleted it. I also called the ISP again. They logged in to the router and said that all the sessions are outbound using the internal port of 2465 and converts to the outside world port 6667. This time NAT sessions were opened on 3 IPs Most of the sessions came from the 2k server. I looked into the other 2 IPs. One is a client PC assigned via DHCP, and it has no trace of mipckov.exe or any abnormal things that run on startup in the registry (mipckov had a registry key to run it on boot, it was also in the C:, which seems odd because it's a fairly new file ( created June 12) and win2k is installed on E:. Here's the really weird thing, the 3rd IP I was given, isn't leased out via DHCP, nor does our Norton Antivirus Corporate Edition show any users with that IP (every client has NAV CE on it). So a NAT session was opened by an IP that isn't used, and you can't ping it internally. I really have no idea as to what to do to try and solve this weird set of issues. I work for my dad to try and help his company out because I know a good bit about PC's in general, but this is all new to me. I unfortunately have no certifications and have not taken any classes on this stuff, but then again, I'm only a teenager trying to help my dad save a ton of money on his IT staff (I'm it...). It is worth mentioning that I ran a scan on all our servers and clients last night with the latest definition files and not one virus turned up. If anyone has any ideas, tips, resources, input, similar experiences, etc. PLEASE let me know. Anything to work with is greatly appreciated. I don't really know where to turn to for help on this matter, so maybe some of you have some ideas. Again, Thank you! -Russell Lewis rtlewisat_private In talking with Marc Fossi SecurityFocus www.securityfocus.com after sending him a zip with the suspicious files he said, "It looks like Kaiten, a DDoS bot (try doing a Google search on "kaiten ddos"). I would suggest reposting your original message to incidentsat_private People there can help you out with determining how it got there and how to get rid of it." So, any ideas on how it got on out server? How can I be sure it's gone? THANKS I just got the components to make a PC that will run RedHat 7.3 and DeepSight Sensor 1.6 Beta RPM and will be setting that up next week. Hopefully this will let us prevent such an ssue again. Russell Lewis ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jun 27 2002 - 17:13:58 PDT