General discussion

Locked

SamChangePasswordUser2 and Apache hack

By haagr ·
I work at a large university, and I've been having a lot of problems with hackers. I just had two machines broken into, and I need a way to fix them without reformating (and ways to prevent future attacks):

1. A machine was attacked and has some sort of "bot" installed on it. I deleted the bot, but it keeps coming back. I found a file labeled PASSWD that showed an attempt to break user passwords with a program called SamChangePasswordUser2.

2. One of our servers was attacked, and a recently discovered hole in Apache was to blame.

Both machines are running Windows 2000.

Does anyone know how to fix either of these problems? Lots of tech points if you do!

This conversation is currently closed to new comments.

9 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

SamChangePasswordUser2 and Apache hack

by MadMark In reply to SamChangePasswordUser2 an ...

Oh boy. What you have described here is pretty serious.

These systems have been compromised. The fact that you have found a file that details password information awaiting forwarding or retrieval AND a potential delivery method (that is usually what a "bot" does) would suggest that your entire network may be suspect.

I would NOT recommend that you put these systems back into production. The persistent little bot must be coming back from somewhere;, via another program or by repeated breaches. Your best bet for this issue is to restore from backups dating back to BEFORE the breach occurred.

If it was _my_ LAN, or my customer's LAN, I'd be launching a proper investigation, tracing logs and looking for admin accounts and rootkits on all of the servers. I would pull these two servers as a start, back 'em up on brand new media to retain whatever evidence there is left, and then re-install the OS from scratch. Then restore data carefully from older backups.

Next step would be to run a vulnerability scan on everything, and then an organized hardening of all of the systems. Password changes all around, and scan again.

I would also use the backup I created of the compromised system in an isolated lab to glean what Ican about how and when the breach occurred.

You may need the help of a security team or consultant. This is serious stuff.

If you want to stop it from happening again, you need to plan. You need a good policy set, a firewall, an IDS system and maybe even a honeynet. You need to monitor all of these things properly, and consistently.

Collapse -

SamChangePasswordUser2 and Apache hack

by haagr In reply to SamChangePasswordUser2 an ...

Poster rated this answer

Collapse -

SamChangePasswordUser2 and Apache hack

by Joseph Moore In reply to SamChangePasswordUser2 an ...

1) If you keep deleting the bot, and it keeps coming back, then it is hiding elsewhere in the Win2K box. I suggest you check the startup portion of the Registry to see if it has written itself there (it probably has). The easiest way to do that is to get MSCONFIG for Win2k:
http://www.insideproject.com/showguide.cfm?guideid=31
Download and install that. Then just run MSCONFIG from the Start -> Run line. Click the Startup tab. If you see something suspicious, uncheck it and reboot. After that,run a full anti-virus check. A lot of the anti-virus programs detect bots as virii. They really aren't virii, but you say potAto, I say potato!
Programs like NetBus, Sub7 and BackOrifice use bots on their own ports to control remote systems. I recommend you do a full port scan against this machine from the outside (do it across the Internet from your home) and see what ports come up. There are dozens of port scanners. One I like is SuperScan, from Foundstone. YOu can get it here:
http://www.foundstone.com/knowledge/proddesc/superscan.html
(please remove any spaces)

And yes, GET A FIREWALL NOW!!! Zone Labs makes ZoneAlarm. It is free, and good.
http://www.zonelabs.com/store/content/home.jsp

Collapse -

SamChangePasswordUser2 and Apache hack

by Joseph Moore In reply to SamChangePasswordUser2 an ...

2) I do not think you are being hacked! At least not according to what you are reporting is in the passwd.log file. Does it say this:

12/11 18:34:16 Attempting password change server/domain
********* for user TsInternetUser
12/11 18:34:16 SamChangePasswordUser2 on machine
\\******** for user TsInternetUser returned 0xc0000022
12/11 18:34:16 SamChangePasswordUser2 retry on machine
\\********* for user TsInternetUser returned 0xc0000022

This is, apparently, normal! If your log is reporting that the TsInternetUser account is trying to change from the SamChangePasswordUser2 function, then it might NOT be a hacker. The TsInternetUser account password is automatically changed every 24 hours. Technet article Q244057 talks about this. There is a bug in Win2k when this password for this account is automatically changed like this.
Basically, if your log states the TsInternetUser account is changing, that is ok. Ignore it.
Now, if other accounts are trying to be changed this same way, THEN that might indicate a problem, and it is probably related to the bot!

Collapse -

SamChangePasswordUser2 and Apache hack

by Joseph Moore In reply to SamChangePasswordUser2 an ...

Basically, you need to tighten up the security there.

Good luck.

Collapse -

SamChangePasswordUser2 and Apache hack

by Joseph Moore In reply to SamChangePasswordUser2 an ...

PS:
The URL to the Technet article is here:
http://support.microsoft.com/default.aspx?scid=KB;EN-US;q244057
(again, remove any spaces)

Collapse -

SamChangePasswordUser2 and Apache hack

by haagr In reply to SamChangePasswordUser2 an ...

Poster rated this answer

Collapse -

SamChangePasswordUser2 and Apache hack

by haagr In reply to SamChangePasswordUser2 an ...

Its not the Microsoft problem, because its a local user, not tsInternet user, that is being broken.

It also doesn't help that the client didn't have an administrator password on (not my fault, he changed it illegally).

Collapse -

SamChangePasswordUser2 and Apache hack

by haagr In reply to SamChangePasswordUser2 an ...

This question was closed by the author

Back to Security Forum
9 total posts (Page 1 of 1)  

Related Discussions

Related Forums