I'll start with some semi-obvious stuff to check, just since we aren't extremely familiar with your setup. First off, how up to date is your server patch wise? Have you installed URLScan or any of the other tools in MS's Security Toolkit? Secondly, have you run a tool such as FPort or Active Ports to determine that there are not any erroneous ports running on your server or clients? Finally, have you checked the Web & FTP Logs for 403 or 5xx errors for bad access attempts? Have looked in the Security Event Logs for failed attempts? These are some of the first places to check on the Windows machines themselves. Beyond that, a sniffer/IDS machine would be the next good check to see exactly what's going on within the network itself. It will help you determine exactly where and how the system(s) are acting. On another note, I find it odd that the firewall/router is purposely PAT'ing the nonsensical internal port of 2465 to a fixed well known 6667 IRC port. This would suggest the firewall itself may have been compromised. Is this router controlled by your company or the ISP's? Just something else to consider. -K > -----Original Message----- > From: RUSSELL T. LEWIS [mailto:RUSSELL_T._LEWISat_private] > Sent: Thursday, June 27, 2002 3:53 PM > To: incidentsat_private > Subject: win2k server issue > > > We are running win2x Server SP2 with all the hotfixes applied (thanks to > hfnetchk.exe). Yesterday when I came into work (for my dad) the Internet > connection was down. Needless to say, no one was happy, so I > called the ISP. > Their service was up, but when they logged into our router, they > noticed the > problem. Something was filling up all out NAT sessions. All the > request came > from one IP on port 6667 (IRC port). after about 1-2 minutes all 250 NAT > sessions would become tied up and no one else could access the > Internet As a > quick fix, I shut down the PC that was causing all the NAT sessions. > Unfortunately it is our Win2k server which runs the website, ftp, > listserv, and > Great Plains accounting stuff. So it's a critical PC. I > installed ZoneAlarms > free firewall (via a CD so the server didn't get on the network > causing more > chaos) and then after a configuration, I reconnected the server > to the network. > Slowly enabling different programs Internet access, I got to the > point where > accounting could run great plains again, and all the other > servers were up. > There is a suspicious exe on the server in the c: drive, > mipckov.exe, and it > tried to access the Internet I have no clue what this is, but > when we ended > it's task, and took it off the server (it's backed up) nothing > seems broken. I > uninstalled zone alarms yesterday and everything has been running > smoothly. > That is until after lunch. We re-ran the mipckov earlier this > morning because > accounting was having a problem, but running it didn't solve the > issue, not did > it seem to break anything. When the Internet went down, that exe > was running > and I killed it, and have again deleted it. I also called the > ISP again. They > logged in to the router and said that all the sessions are > outbound using the > internal port of 2465 and converts to the outside world port > 6667. This time > NAT sessions were opened on 3 IPs Most of the sessions came from > the 2k server. > I looked into the other 2 IPs. One is a client PC assigned via > DHCP, and it has > no trace of mipckov.exe or any abnormal things that run on startup in the > registry (mipckov had a registry key to run it on boot, it was > also in the C:, > which seems odd because it's a fairly new file ( created June 12) > and win2k is > installed on E:. Here's the really weird thing, the 3rd IP I was > given, isn't > leased out via DHCP, nor does our Norton Antivirus Corporate > Edition show any > users with that IP (every client has NAV CE on it). So a NAT > session was opened > by an IP that isn't used, and you can't ping it internally. I > really have no > idea as to what to do to try and solve this weird set of issues. > I work for my > dad to try and help his company out because I know a good bit > about PC's in > general, but this is all new to me. I unfortunately have no > certifications and > have not taken any classes on this stuff, but then again, I'm > only a teenager > trying to help my dad save a ton of money on his IT staff (I'm it...). > > It is worth mentioning that I ran a scan on all our servers and > clients last > night with the latest definition files and not one virus turned up. > > If anyone has any ideas, tips, resources, input, similar experiences, etc. > PLEASE let me know. Anything to work with is greatly > appreciated. I don't > really know where to turn to for help on this matter, so maybe > some of you have > some ideas. > > Again, Thank you! > -Russell Lewis > rtlewisat_private > > > > In talking with > Marc Fossi > SecurityFocus > www.securityfocus.com > after sending him a zip with the suspicious files he said, > "It looks like Kaiten, a DDoS bot (try doing a Google search on "kaiten > ddos"). I would suggest reposting your original message to > incidentsat_private People there can help you out > with determining how it got there and how to get rid of it." > > > So, any ideas on how it got on out server? How can I be sure it's gone? > > THANKS > > I just got the components to make a PC that will run RedHat 7.3 > and DeepSight > Sensor 1.6 Beta RPM and will be setting that up next week. > Hopefully this will > let us prevent such an ssue again. > > Russell Lewis > > > > > > > > > ------------------------------------------------------------------ > ---------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jun 28 2002 - 09:35:22 PDT