General discussion

Locked

Nimda? Hacker?

By reference ·
Not a typical win2k question, but I thought I'd give it a shot!
I call a call from a customer this morning stating that they could not log on with the admin acount. after further investigation I found two new users, both with admin rights, and thatall other users that HAD admin rights now did not. more investigation shows a couple files created after hours, and the existence of several tftp files that were created after hours AND infected with the Nimda virus. My question is this, does anyoneknow if the nimda could have created these new users, and changed rights to existing users, and set itself up to transfer via ftp on this server, or should I be concerned that a hacker was in my system as well. Are there any tools that can help identify the presence of a hacker after the fact? Any ideas, advice, or suggestions will be greatly appreciated!!

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Nimda? Hacker?

by Alpha-Male In reply to Nimda? Hacker?

You *definitely* have all the classic signs of hacker intrusion here. First thing's first...Isolate that machine from the LAN!!! Don't let the intrusion progress. Next, go to:

http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html

This will give you a means to change the admin password and get into the system. From there, I would begin forensic methods (with the help of a security expert if at all possible). I would also consider contacting the local authorities.

You should draw up an Intrusion Response policy. This article has very good information on that and the kind of steps you may want to take including levels of response, setting up a Security Incident Response Team (SIRT) etc.:

http://www.sans.org/newlook/resources/IDFAQ/deploy.htm

Also, a great resource for "what to do" is CERT's Intruder detection checklist:

http://www.cert.org/tech_tips/win_intruder_detection_che cklist.html

Other sites to look at:

http://www.antionline.com/fight-back/
(basic but a starting place)

http://www.labmice.net/Security/default.htm
(lots of good reference material)

http://snort.sourcefire.com/
(great intrusion detection software)

http://packet-level.com
(excellent resource...and if you can get advice from Laura, I'd listen!)

http://www.insecure.org/

http://htcia.org/

make sure to remove any spaces in the above URLs. Good Luck...hope this helps!

Collapse -

Nimda? Hacker?

by reference In reply to Nimda? Hacker?

Poster rated this answer

Collapse -

Nimda? Hacker?

by Joseph Moore In reply to Nimda? Hacker?

Ok, Nimda does transfer files over TFTP:
"The worm searches for Web servers using randomly generated IP addresses. Using the Unicode Web Traversal exploit, the worm copies itself to the Web server as admin.dll via TFTP. Infected machines create a listening TFTP server (port 69/UDP) to transfer copy of the worm."

The full SARC write up on Nimda is here:
http://www.sarc.com/avcenter/venc/data/w32.nimda.a@mm.html
(please remove any spaces)

It is possible for someone to exploit a Nimda-infected server and change passwords, set up user accounts, etc. Read the full write up for details.

Now, I would open the Event Viewer Security log now, and see if there is anything there (that is, providing the server was set up to Audit things like Account Logon/Logoff for Success and/or failure, as well as Account Management auditing). Hopefully, the server was auditing stuff. And hopefully, the logs are still there. Check them.
Also check the IIS server logs themselves (in %windir%\system32\logfiles\w3svc1 folder. Look on the log file for last night (when this happened) to see what was going on. If you see pathing like this:
_vti_bin/..%5c../..%5c../..% 5c../winnt/system32/cmd.exe?/c+ dir

Then that is a scan by Nimda. Nimda used the directory traversal bug in IIS to spread (calling CMD.EXE). Get the IP addresses this came from just before the date/time that the files that were TFTP'ed to you. Possibly, the IP in the logs that did the CMD call around the time of the file modify time on the files is the one that sent you Nimda.

Good luck

Collapse -

Nimda? Hacker?

by reference In reply to Nimda? Hacker?

Poster rated this answer

Collapse -

Nimda? Hacker?

by hjs In reply to Nimda? Hacker?

Alpha is correct. You have been hacked. Like he said get that machine off your network. Somehow the hacker got either the admin password or the password of someone who had admin rights. Make all the people that had admin rights change thier passwords.

Collapse -

Nimda? Hacker?

by reference In reply to Nimda? Hacker?

Poster rated this answer

Collapse -

Nimda? Hacker?

by reference In reply to Nimda? Hacker?

This question was closed by the author

Back to Windows Forum
7 total posts (Page 1 of 1)  

Related Discussions

Related Forums