Today 3 Proxy server in on my workplace attacked by some hacker, Server running Windows 2003 Std Edition(Service Pack 2).
Attack Details,
A account created with administrative privilege and while we checked, it 's logged on with that account, strange thing is, it's showing built in account, also a exe file called AutoSQL and it started scanning lot's of Public IP's, looks like it broadcasting,
created account is hackp13$, and on event log, it showing following successful logon.
CODE
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 551
Date: 25/04/2008
Time: 6:25:01 PM
User: AFT-PROXY\hackp13$
Computer: AFT-PROXY
Description:
User initiated logoff:
User Name: hackp13$
Domain: AFT-PROXY
Logon ID: (0x0,0x3b7fec)
Event Source: Security
Event Category: Logon/Logoff
Event ID: 551
Date: 25/04/2008
Time: 6:25:01 PM
User: AFT-PROXY\hackp13$
Computer: AFT-PROXY
Description:
User initiated logoff:
User Name: hackp13$
Domain: AFT-PROXY
Logon ID: (0x0,0x3b7fec)
After initial shock, we did scan with Microsoft Baseline Security Analyzer, it's showing 3 critical update, and 2 important update reqd. and most interesting part is when I was installing update via Windows update, suddenly hacker take my full desktop control, accessing my mouse, keyboard, and cancel update, then open Internet Explorer, open a site,
Service Window.
AutoSql
IP Scan
Netstat 1
CODE
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\Documents and Settings\hackp13$>netstat
Active Connections
Proto Local Address Foreign Address State
TCP asdf:1047 asdf:ms-sql-s ESTABLISHED
TCP asdf:1048 asdf:ms-sql-s ESTABLISHED
TCP asdf:1050 asdf:ms-sql-s ESTABLISHED
TCP asdf:1051 asdf:ms-sql-s ESTABLISHED
TCP asdf:1052 asdf:ms-sql-s ESTABLISHED
TCP asdf:1053 asdf:ms-sql-s ESTABLISHED
TCP asdf:1054 asdf:ms-sql-s ESTABLISHED
TCP asdf:ms-sql-s asdf:1047 ESTABLISHED
TCP asdf:ms-sql-s asdf:1048 ESTABLISHED
TCP asdf:ms-sql-s asdf:1050 ESTABLISHED
TCP asdf:ms-sql-s asdf:1051 ESTABLISHED
TCP asdf:ms-sql-s asdf:1052 ESTABLISHED
TCP asdf:ms-sql-s asdf:1053 ESTABLISHED
TCP asdf:ms-sql-s asdf:1054 ESTABLISHED
TCP asdf:2602 asdf:7000 ESTABLISHED
TCP asdf:3103 asdf:7000 CLOSE_WAIT
TCP asdf:5001 asdf:1088 CLOSE_WAIT
TCP asdf:7000 asdf:2602 ESTABLISHED
TCP asdf:7000 asdf:3103 FIN_WAIT_2
TCP asdf:1637 222.76.64.57:8000 ESTABLISHED
TCP asdf:2603 207.46.110.40:http ESTABLISHED
TCP asdf:8080 192.168.16.29:1529 ESTABLISHED
TCP asdf:8080 192.168.33.75:4849 TIME_WAIT
TCP asdf:8080 192.168.33.75:4854 TIME_WAIT
^C
C:\Documents and Settings\hackp13$>netstat -n
Active Connections
Proto Local Address Foreign Address State
TCP 127.0.0.1:1047 127.0.0.1:1433 ESTABLISHED
TCP 127.0.0.1:1048 127.0.0.1:1433 ESTABLISHED
TCP 127.0.0.1:1050 127.0.0.1:1433 ESTABLISHED
TCP 127.0.0.1:1051 127.0.0.1:1433 ESTABLISHED
TCP 127.0.0.1:1052 127.0.0.1:1433 ESTABLISHED
TCP 127.0.0.1:1053 127.0.0.1:1433 ESTABLISHED
TCP 127.0.0.1:1054 127.0.0.1:1433 ESTABLISHED
TCP 127.0.0.1:1433 127.0.0.1:1047 ESTABLISHED
TCP 127.0.0.1:1433 127.0.0.1:1048 ESTABLISHED
TCP 127.0.0.1:1433 127.0.0.1:1050 ESTABLISHED
TCP 127.0.0.1:1433 127.0.0.1:1051 ESTABLISHED
TCP 127.0.0.1:1433 127.0.0.1:1052 ESTABLISHED
TCP 127.0.0.1:1433 127.0.0.1:1053 ESTABLISHED
TCP 127.0.0.1:1433 127.0.0.1:1054 ESTABLISHED
TCP 127.0.0.1:2602 127.0.0.1:7000 ESTABLISHED
TCP 127.0.0.1:3175 127.0.0.1:7000 ESTABLISHED
TCP 127.0.0.1:5001 127.0.0.1:1088 CLOSE_WAIT
TCP 127.0.0.1:7000 127.0.0.1:2602 ESTABLISHED
TCP 127.0.0.1:7000 127.0.0.1:3103 TIME_WAIT
TCP 127.0.0.1:7000 127.0.0.1:3175 ESTABLISHED
TCP 192.168.33.3:1637 222.76.64.57:8000 ESTABLISHED
TCP 192.168.33.3:2603 207.46.110.40:80 ESTABLISHED
TCP 192.168.33.3:3176 74.54.68.215:80 ESTABLISHED
TCP 192.168.33.3:8080 192.168.16.29:1529 ESTABLISHED
TCP 192.168.33.3:8080 192.168.33.75:4849 TIME_WAIT
TCP 192.168.33.3:8080 192.168.33.75:4854 TIME_WAIT
TCP 192.168.33.3:8080 192.168.44.22:2778 TIME_WAIT
TCP 192.168.33.3:8080 192.168.44.22:2779 TIME_WAIT
TCP 192.168.33.3:8080 192.168.44.22:2780 TIME_WAIT
TCP 192.168.33.3:8080 192.168.44.22:2782 ESTABLISHED
TCP 192.168.33.3:8080 192.168.44.22:2783 TIME_WAIT
TCP 192.168.33.3:8080 192.168.44.22:2784 TIME_WAIT
TCP 192.168.33.3:8080 192.168.90.60:1746 FIN_WAIT_2
TCP 192.168.33.3:8080 192.168.90.60:1747 FIN_WAIT_2
C:\Documents and Settings\hackp13$>
(C) Copyright 1985-2000 Microsoft Corp.
C:\Documents and Settings\hackp13$>netstat
Active Connections
Proto Local Address Foreign Address State
TCP asdf:1047 asdf:ms-sql-s ESTABLISHED
TCP asdf:1048 asdf:ms-sql-s ESTABLISHED
TCP asdf:1050 asdf:ms-sql-s ESTABLISHED
TCP asdf:1051 asdf:ms-sql-s ESTABLISHED
TCP asdf:1052 asdf:ms-sql-s ESTABLISHED
TCP asdf:1053 asdf:ms-sql-s ESTABLISHED
TCP asdf:1054 asdf:ms-sql-s ESTABLISHED
TCP asdf:ms-sql-s asdf:1047 ESTABLISHED
TCP asdf:ms-sql-s asdf:1048 ESTABLISHED
TCP asdf:ms-sql-s asdf:1050 ESTABLISHED
TCP asdf:ms-sql-s asdf:1051 ESTABLISHED
TCP asdf:ms-sql-s asdf:1052 ESTABLISHED
TCP asdf:ms-sql-s asdf:1053 ESTABLISHED
TCP asdf:ms-sql-s asdf:1054 ESTABLISHED
TCP asdf:2602 asdf:7000 ESTABLISHED
TCP asdf:3103 asdf:7000 CLOSE_WAIT
TCP asdf:5001 asdf:1088 CLOSE_WAIT
TCP asdf:7000 asdf:2602 ESTABLISHED
TCP asdf:7000 asdf:3103 FIN_WAIT_2
TCP asdf:1637 222.76.64.57:8000 ESTABLISHED
TCP asdf:2603 207.46.110.40:http ESTABLISHED
TCP asdf:8080 192.168.16.29:1529 ESTABLISHED
TCP asdf:8080 192.168.33.75:4849 TIME_WAIT
TCP asdf:8080 192.168.33.75:4854 TIME_WAIT
^C
C:\Documents and Settings\hackp13$>netstat -n
Active Connections
Proto Local Address Foreign Address State
TCP 127.0.0.1:1047 127.0.0.1:1433 ESTABLISHED
TCP 127.0.0.1:1048 127.0.0.1:1433 ESTABLISHED
TCP 127.0.0.1:1050 127.0.0.1:1433 ESTABLISHED
TCP 127.0.0.1:1051 127.0.0.1:1433 ESTABLISHED
TCP 127.0.0.1:1052 127.0.0.1:1433 ESTABLISHED
TCP 127.0.0.1:1053 127.0.0.1:1433 ESTABLISHED
TCP 127.0.0.1:1054 127.0.0.1:1433 ESTABLISHED
TCP 127.0.0.1:1433 127.0.0.1:1047 ESTABLISHED
TCP 127.0.0.1:1433 127.0.0.1:1048 ESTABLISHED
TCP 127.0.0.1:1433 127.0.0.1:1050 ESTABLISHED
TCP 127.0.0.1:1433 127.0.0.1:1051 ESTABLISHED
TCP 127.0.0.1:1433 127.0.0.1:1052 ESTABLISHED
TCP 127.0.0.1:1433 127.0.0.1:1053 ESTABLISHED
TCP 127.0.0.1:1433 127.0.0.1:1054 ESTABLISHED
TCP 127.0.0.1:2602 127.0.0.1:7000 ESTABLISHED
TCP 127.0.0.1:3175 127.0.0.1:7000 ESTABLISHED
TCP 127.0.0.1:5001 127.0.0.1:1088 CLOSE_WAIT
TCP 127.0.0.1:7000 127.0.0.1:2602 ESTABLISHED
TCP 127.0.0.1:7000 127.0.0.1:3103 TIME_WAIT
TCP 127.0.0.1:7000 127.0.0.1:3175 ESTABLISHED
TCP 192.168.33.3:1637 222.76.64.57:8000 ESTABLISHED
TCP 192.168.33.3:2603 207.46.110.40:80 ESTABLISHED
TCP 192.168.33.3:3176 74.54.68.215:80 ESTABLISHED
TCP 192.168.33.3:8080 192.168.16.29:1529 ESTABLISHED
TCP 192.168.33.3:8080 192.168.33.75:4849 TIME_WAIT
TCP 192.168.33.3:8080 192.168.33.75:4854 TIME_WAIT
TCP 192.168.33.3:8080 192.168.44.22:2778 TIME_WAIT
TCP 192.168.33.3:8080 192.168.44.22:2779 TIME_WAIT
TCP 192.168.33.3:8080 192.168.44.22:2780 TIME_WAIT
TCP 192.168.33.3:8080 192.168.44.22:2782 ESTABLISHED
TCP 192.168.33.3:8080 192.168.44.22:2783 TIME_WAIT
TCP 192.168.33.3:8080 192.168.44.22:2784 TIME_WAIT
TCP 192.168.33.3:8080 192.168.90.60:1746 FIN_WAIT_2
TCP 192.168.33.3:8080 192.168.90.60:1747 FIN_WAIT_2
C:\Documents and Settings\hackp13$>
Netstat 2
CODE
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\Documents and Settings\hackp13$>netstat -nr
Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x1000003 ...00 11 11 5f 28 60 ...... Intel(R) PRO/1000 CT Network Connection
0x1000004 ...00 11 11 5f 28 62 ...... Intel(R) PRO/100 VE Network Connection
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.33.154 192.168.33.3 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.0.0.0 255.0.0.0 192.168.33.154 192.168.33.3 1
192.168.10.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.11.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.12.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.14.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.16.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.18.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.20.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.22.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.23.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.24.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.25.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.31.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.33.0 255.255.255.0 192.168.33.3 192.168.33.3 1
192.168.33.3 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.33.255 255.255.255.255 192.168.33.3 192.168.33.3 1
192.168.36.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.37.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.38.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.39.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.44.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.45.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.60.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.61.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.64.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.65.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.66.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.67.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.68.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.70.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.80.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.88.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.90.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.100.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.140.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.171.0 255.255.255.0 192.168.33.154 192.168.33.3 1
224.0.0.0 224.0.0.0 192.168.33.3 192.168.33.3 1
255.255.255.255 255.255.255.255 192.168.33.3 192.168.33.3 1
Default Gateway: 192.168.33.154
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
192.168.22.0 255.255.255.0 192.168.33.154 1
192.168.23.0 255.255.255.0 192.168.33.154 1
192.168.11.0 255.255.255.0 192.168.33.154 1
192.168.14.0 255.255.255.0 192.168.33.154 1
192.168.24.0 255.255.255.0 192.168.33.154 1
192.168.16.0 255.255.255.0 192.168.33.154 1
192.168.12.0 255.255.255.0 192.168.33.154 1
192.168.44.0 255.255.255.0 192.168.33.154 1
192.168.45.0 255.255.255.0 192.168.33.154 1
192.168.88.0 255.255.255.0 192.168.33.154 1
192.168.38.0 255.255.255.0 192.168.33.154 1
192.168.31.0 255.255.255.0 192.168.33.154 1
192.168.37.0 255.255.255.0 192.168.33.154 1
192.168.39.0 255.255.255.0 192.168.33.154 1
192.168.36.0 255.255.255.0 192.168.33.154 1
192.168.100.0 255.255.255.0 192.168.33.154 1
192.168.20.0 255.255.255.0 192.168.33.154 1
192.168.80.0 255.255.255.0 192.168.33.154 1
192.168.10.0 255.255.255.0 192.168.33.154 1
192.168.140.0 255.255.255.0 192.168.33.154 1
172.0.0.0 255.0.0.0 192.168.33.154 1
192.168.25.0 255.255.255.0 192.168.33.154 1
192.168.90.0 255.255.255.0 192.168.33.154 1
192.168.60.0 255.255.255.0 192.168.33.154 1
192.168.61.0 255.255.255.0 192.168.33.154 1
192.168.66.0 255.255.255.0 192.168.33.154 1
192.168.67.0 255.255.255.0 192.168.33.154 1
192.168.64.0 255.255.255.0 192.168.33.154 1
192.168.65.0 255.255.255.0 192.168.33.154 1
192.168.68.0 255.255.255.0 192.168.33.154 1
192.168.70.0 255.255.255.0 192.168.33.154 1
192.168.18.0 255.255.255.0 192.168.33.154 1
192.168.171.0 255.255.255.0 192.168.33.154 1
C:\Documents and Settings\hackp13$>
(C) Copyright 1985-2000 Microsoft Corp.
C:\Documents and Settings\hackp13$>netstat -nr
Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x1000003 ...00 11 11 5f 28 60 ...... Intel(R) PRO/1000 CT Network Connection
0x1000004 ...00 11 11 5f 28 62 ...... Intel(R) PRO/100 VE Network Connection
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.33.154 192.168.33.3 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.0.0.0 255.0.0.0 192.168.33.154 192.168.33.3 1
192.168.10.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.11.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.12.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.14.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.16.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.18.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.20.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.22.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.23.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.24.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.25.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.31.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.33.0 255.255.255.0 192.168.33.3 192.168.33.3 1
192.168.33.3 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.33.255 255.255.255.255 192.168.33.3 192.168.33.3 1
192.168.36.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.37.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.38.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.39.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.44.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.45.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.60.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.61.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.64.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.65.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.66.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.67.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.68.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.70.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.80.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.88.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.90.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.100.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.140.0 255.255.255.0 192.168.33.154 192.168.33.3 1
192.168.171.0 255.255.255.0 192.168.33.154 192.168.33.3 1
224.0.0.0 224.0.0.0 192.168.33.3 192.168.33.3 1
255.255.255.255 255.255.255.255 192.168.33.3 192.168.33.3 1
Default Gateway: 192.168.33.154
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
192.168.22.0 255.255.255.0 192.168.33.154 1
192.168.23.0 255.255.255.0 192.168.33.154 1
192.168.11.0 255.255.255.0 192.168.33.154 1
192.168.14.0 255.255.255.0 192.168.33.154 1
192.168.24.0 255.255.255.0 192.168.33.154 1
192.168.16.0 255.255.255.0 192.168.33.154 1
192.168.12.0 255.255.255.0 192.168.33.154 1
192.168.44.0 255.255.255.0 192.168.33.154 1
192.168.45.0 255.255.255.0 192.168.33.154 1
192.168.88.0 255.255.255.0 192.168.33.154 1
192.168.38.0 255.255.255.0 192.168.33.154 1
192.168.31.0 255.255.255.0 192.168.33.154 1
192.168.37.0 255.255.255.0 192.168.33.154 1
192.168.39.0 255.255.255.0 192.168.33.154 1
192.168.36.0 255.255.255.0 192.168.33.154 1
192.168.100.0 255.255.255.0 192.168.33.154 1
192.168.20.0 255.255.255.0 192.168.33.154 1
192.168.80.0 255.255.255.0 192.168.33.154 1
192.168.10.0 255.255.255.0 192.168.33.154 1
192.168.140.0 255.255.255.0 192.168.33.154 1
172.0.0.0 255.0.0.0 192.168.33.154 1
192.168.25.0 255.255.255.0 192.168.33.154 1
192.168.90.0 255.255.255.0 192.168.33.154 1
192.168.60.0 255.255.255.0 192.168.33.154 1
192.168.61.0 255.255.255.0 192.168.33.154 1
192.168.66.0 255.255.255.0 192.168.33.154 1
192.168.67.0 255.255.255.0 192.168.33.154 1
192.168.64.0 255.255.255.0 192.168.33.154 1
192.168.65.0 255.255.255.0 192.168.33.154 1
192.168.68.0 255.255.255.0 192.168.33.154 1
192.168.70.0 255.255.255.0 192.168.33.154 1
192.168.18.0 255.255.255.0 192.168.33.154 1
192.168.171.0 255.255.255.0 192.168.33.154 1
C:\Documents and Settings\hackp13$>
We hav PIX in our workplace..
We hav Trend Micro office scan..
Using Trend Micro Proxy Server..
Is there any new vulnerability on 2003 server??
Please help....
