Re: Windows 2000 Server Attacks

[Su Wadlow <swadlow () utdallas edu>]

--On Thursday, February 20, 2003 12:57 PM -0500 Paul Stewart 
<pauls () nexicom net> wrote:

> We have no idea how this person has managed to gain some form of
> access to these servers and are obviously quite concerned.

What services are the servers running?  Are the machines *fully*
patched?

We've had similar compromises to user systems using exploits for
Windows services.  In one case a cracker used an IIS unicode
exploit; in another, the machine was running the MSDE (installed
with Visio) and the entry point was apparently some kind of SQL
exploit.


> The
> filename of the software that is responsible we believe to be
> msudb32.exe

Look for the ServU daemon in the machines' list of services.  This
filename may simply be an attempt to hide the service's true name
and purpose.  I've seen the ServU FTP daemon renamed several
different things -- winmgnr.exe was one, and sys<something>.exe was
another.

If you find ServU running in the list of services, look for
ServUDaemon.ini and ServUStartUpLog.txt in (probably) the same
directory that you find the service's executable, and possibly in
a subdirectory where the warez are placed as well.  Oh, and if it
*is* there, you'll probably find that msudb32.exe is the filename
of the ServU service.


> Does this ring a bell to anyone by chance?  A google shows only one
> response via newsgroups and no remedy.

If it's ServU, you'll have to stop the service, delete its files and
then remove its registry entries.  Reboot.  Then you can delete the
warez, which could be trickier than it sounds.  You'll probably have
to take ownership of the files and folders before Windows will let
you delete them.

--
Su Wadlow
swadlow () utdallas edu
Faculty/Staff Support