1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

2003 Server Attack by Unknown Hacker, need help, Proxy Server

Discussion in 'General Security' started by JusThinK, Apr 26, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. JusThinK

    JusThinK Thread Starter

    Joined:
    Apr 26, 2008
    Messages:
    2
    Hi All,

    Today 3 Proxy server in on my workplace attacked by some hacker, Server running Windows 2003 Std Edition(Service Pack 2).

    Attack Details,

    A account created with administrative privilege and while we checked, it 's logged on with that account, strange thing is, it's showing built in account, also a exe file called AutoSQL and it started scanning lot's of Public IP's, looks like it broadcasting,

    created account is hackp13$, and on event log, it showing following successful logon.
    Code:
    Event Type: Success Audit
    Event Source: Security
    Event Category: Logon/Logoff 
    Event ID: 551
    Date:  25/04/2008
    Time:  6:25:01 PM
    User:  AFT-PROXY\hackp13$
    Computer: AFT-PROXY
    Description:
    User initiated logoff:
      User Name: hackp13$
      Domain:  AFT-PROXY
      Logon ID:  (0x0,0x3b7fec)

    After initial shock, we did scan with Microsoft Baseline Security Analyzer, it's showing 3 critical update, and 2 important update reqd. and most interesting part is when I was installing update via Windows update, suddenly hacker take my full desktop control, accessing my mouse, keyboard, and cancel update, then open Internet Explorer, open a site,

    Service Window.
    [​IMG]

    AutoSql
    [​IMG]

    IP Scan
    [​IMG]

    Netstat 1
    Code:
    Microsoft Windows 2000 [Version 5.00.2195]
    (C) Copyright 1985-2000 Microsoft Corp.
    
    C:\Documents and Settings\hackp13$>netstat
    
    Active Connections
    
      Proto  Local Address		  Foreign Address		State
      TCP	asdf:1047			  asdf:ms-sql-s		  ESTABLISHED
      TCP	asdf:1048			  asdf:ms-sql-s		  ESTABLISHED
      TCP	asdf:1050			  asdf:ms-sql-s		  ESTABLISHED
      TCP	asdf:1051			  asdf:ms-sql-s		  ESTABLISHED
      TCP	asdf:1052			  asdf:ms-sql-s		  ESTABLISHED
      TCP	asdf:1053			  asdf:ms-sql-s		  ESTABLISHED
      TCP	asdf:1054			  asdf:ms-sql-s		  ESTABLISHED
      TCP	asdf:ms-sql-s		  asdf:1047			  ESTABLISHED
      TCP	asdf:ms-sql-s		  asdf:1048			  ESTABLISHED
      TCP	asdf:ms-sql-s		  asdf:1050			  ESTABLISHED
      TCP	asdf:ms-sql-s		  asdf:1051			  ESTABLISHED
      TCP	asdf:ms-sql-s		  asdf:1052			  ESTABLISHED
      TCP	asdf:ms-sql-s		  asdf:1053			  ESTABLISHED
      TCP	asdf:ms-sql-s		  asdf:1054			  ESTABLISHED
      TCP	asdf:2602			  asdf:7000			  ESTABLISHED
      TCP	asdf:3103			  asdf:7000			  CLOSE_WAIT
      TCP	asdf:5001			  asdf:1088			  CLOSE_WAIT
      TCP	asdf:7000			  asdf:2602			  ESTABLISHED
      TCP	asdf:7000			  asdf:3103			  FIN_WAIT_2
      TCP	asdf:1637			  222.76.64.57:8000	  ESTABLISHED
      TCP	asdf:2603			  207.46.110.40:http	 ESTABLISHED
      TCP	asdf:8080			  192.168.16.29:1529	 ESTABLISHED
      TCP	asdf:8080			  192.168.33.75:4849	 TIME_WAIT
      TCP	asdf:8080			  192.168.33.75:4854	 TIME_WAIT
    ^C
    C:\Documents and Settings\hackp13$>netstat -n
    
    Active Connections
    
      Proto  Local Address		  Foreign Address		State
      TCP	127.0.0.1:1047		 127.0.0.1:1433		 ESTABLISHED
      TCP	127.0.0.1:1048		 127.0.0.1:1433		 ESTABLISHED
      TCP	127.0.0.1:1050		 127.0.0.1:1433		 ESTABLISHED
      TCP	127.0.0.1:1051		 127.0.0.1:1433		 ESTABLISHED
      TCP	127.0.0.1:1052		 127.0.0.1:1433		 ESTABLISHED
      TCP	127.0.0.1:1053		 127.0.0.1:1433		 ESTABLISHED
      TCP	127.0.0.1:1054		 127.0.0.1:1433		 ESTABLISHED
      TCP	127.0.0.1:1433		 127.0.0.1:1047		 ESTABLISHED
      TCP	127.0.0.1:1433		 127.0.0.1:1048		 ESTABLISHED
      TCP	127.0.0.1:1433		 127.0.0.1:1050		 ESTABLISHED
      TCP	127.0.0.1:1433		 127.0.0.1:1051		 ESTABLISHED
      TCP	127.0.0.1:1433		 127.0.0.1:1052		 ESTABLISHED
      TCP	127.0.0.1:1433		 127.0.0.1:1053		 ESTABLISHED
      TCP	127.0.0.1:1433		 127.0.0.1:1054		 ESTABLISHED
      TCP	127.0.0.1:2602		 127.0.0.1:7000		 ESTABLISHED
      TCP	127.0.0.1:3175		 127.0.0.1:7000		 ESTABLISHED
      TCP	127.0.0.1:5001		 127.0.0.1:1088		 CLOSE_WAIT
      TCP	127.0.0.1:7000		 127.0.0.1:2602		 ESTABLISHED
      TCP	127.0.0.1:7000		 127.0.0.1:3103		 TIME_WAIT
      TCP	127.0.0.1:7000		 127.0.0.1:3175		 ESTABLISHED
      TCP	192.168.33.3:1637	  222.76.64.57:8000	  ESTABLISHED
      TCP	192.168.33.3:2603	  207.46.110.40:80	   ESTABLISHED
      TCP	192.168.33.3:3176	  74.54.68.215:80		ESTABLISHED
      TCP	192.168.33.3:8080	  192.168.16.29:1529	 ESTABLISHED
      TCP	192.168.33.3:8080	  192.168.33.75:4849	 TIME_WAIT
      TCP	192.168.33.3:8080	  192.168.33.75:4854	 TIME_WAIT
      TCP	192.168.33.3:8080	  192.168.44.22:2778	 TIME_WAIT
      TCP	192.168.33.3:8080	  192.168.44.22:2779	 TIME_WAIT
      TCP	192.168.33.3:8080	  192.168.44.22:2780	 TIME_WAIT
      TCP	192.168.33.3:8080	  192.168.44.22:2782	 ESTABLISHED
      TCP	192.168.33.3:8080	  192.168.44.22:2783	 TIME_WAIT
      TCP	192.168.33.3:8080	  192.168.44.22:2784	 TIME_WAIT
      TCP	192.168.33.3:8080	  192.168.90.60:1746	 FIN_WAIT_2
      TCP	192.168.33.3:8080	  192.168.90.60:1747	 FIN_WAIT_2
    
    C:\Documents and Settings\hackp13$>
    Netstat 2
    Code:
    Microsoft Windows 2000 [Version 5.00.2195]
    (C) Copyright 1985-2000 Microsoft Corp.
    
    C:\Documents and Settings\hackp13$>netstat -nr
    
    Route Table
    ===========================================================================
    Interface List
    0x1 ........................... MS TCP Loopback interface
    0x1000003 ...00 11 11 5f 28 60 ...... Intel(R) PRO/1000 CT Network Connection
    0x1000004 ...00 11 11 5f 28 62 ...... Intel(R) PRO/100 VE Network Connection
    ===========================================================================
    ===========================================================================
    Active Routes:
    Network Destination		Netmask		  Gateway	   Interface  Metric
    		  0.0.0.0		  0.0.0.0   192.168.33.154	192.168.33.3	   1
    		127.0.0.0		255.0.0.0		127.0.0.1	   127.0.0.1	   1
    		172.0.0.0		255.0.0.0   192.168.33.154	192.168.33.3	   1
    	 192.168.10.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
    	 192.168.11.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
    	 192.168.12.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
    	 192.168.14.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
    	 192.168.16.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
    	 192.168.18.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
    	 192.168.20.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
    	 192.168.22.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
    	 192.168.23.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
    	 192.168.24.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
    	 192.168.25.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
    	 192.168.31.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
    	 192.168.33.0	255.255.255.0	 192.168.33.3	192.168.33.3	   1
    	 192.168.33.3  255.255.255.255		127.0.0.1	   127.0.0.1	   1
       192.168.33.255  255.255.255.255	 192.168.33.3	192.168.33.3	   1
    	 192.168.36.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
    	 192.168.37.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
    	 192.168.38.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
    	 192.168.39.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
    	 192.168.44.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
    	 192.168.45.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
    	 192.168.60.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
    	 192.168.61.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
    	 192.168.64.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
    	 192.168.65.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
    	 192.168.66.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
    	 192.168.67.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
    	 192.168.68.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
    	 192.168.70.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
    	 192.168.80.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
    	 192.168.88.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
    	 192.168.90.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
    	192.168.100.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
    	192.168.140.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
    	192.168.171.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
    		224.0.0.0		224.0.0.0	 192.168.33.3	192.168.33.3	   1
      255.255.255.255  255.255.255.255	 192.168.33.3	192.168.33.3	   1
    Default Gateway:	192.168.33.154
    ===========================================================================
    Persistent Routes:
      Network Address		  Netmask  Gateway Address  Metric
    	 192.168.22.0	255.255.255.0   192.168.33.154	   1
    	 192.168.23.0	255.255.255.0   192.168.33.154	   1
    	 192.168.11.0	255.255.255.0   192.168.33.154	   1
    	 192.168.14.0	255.255.255.0   192.168.33.154	   1
    	 192.168.24.0	255.255.255.0   192.168.33.154	   1
    	 192.168.16.0	255.255.255.0   192.168.33.154	   1
    	 192.168.12.0	255.255.255.0   192.168.33.154	   1
    	 192.168.44.0	255.255.255.0   192.168.33.154	   1
    	 192.168.45.0	255.255.255.0   192.168.33.154	   1
    	 192.168.88.0	255.255.255.0   192.168.33.154	   1
    	 192.168.38.0	255.255.255.0   192.168.33.154	   1
    	 192.168.31.0	255.255.255.0   192.168.33.154	   1
    	 192.168.37.0	255.255.255.0   192.168.33.154	   1
    	 192.168.39.0	255.255.255.0   192.168.33.154	   1
    	 192.168.36.0	255.255.255.0   192.168.33.154	   1
    	192.168.100.0	255.255.255.0   192.168.33.154	   1
    	 192.168.20.0	255.255.255.0   192.168.33.154	   1
    	 192.168.80.0	255.255.255.0   192.168.33.154	   1
    	 192.168.10.0	255.255.255.0   192.168.33.154	   1
    	192.168.140.0	255.255.255.0   192.168.33.154	   1
    		172.0.0.0		255.0.0.0   192.168.33.154	   1
    	 192.168.25.0	255.255.255.0   192.168.33.154	   1
    	 192.168.90.0	255.255.255.0   192.168.33.154	   1
    	 192.168.60.0	255.255.255.0   192.168.33.154	   1
    	 192.168.61.0	255.255.255.0   192.168.33.154	   1
    	 192.168.66.0	255.255.255.0   192.168.33.154	   1
    	 192.168.67.0	255.255.255.0   192.168.33.154	   1
    	 192.168.64.0	255.255.255.0   192.168.33.154	   1
    	 192.168.65.0	255.255.255.0   192.168.33.154	   1
    	 192.168.68.0	255.255.255.0   192.168.33.154	   1
    	 192.168.70.0	255.255.255.0   192.168.33.154	   1
    	 192.168.18.0	255.255.255.0   192.168.33.154	   1
    	192.168.171.0	255.255.255.0   192.168.33.154	   1
    
    C:\Documents and Settings\hackp13$>
    We hav PIX in our workplace..
    We hav Trend Micro office scan..
    Using Trend Micro Proxy Server..

    Is there any new vulnerability on 2003 server??



    Please help.... urgent..
     
  2. JusThinK

    JusThinK Thread Starter

    Joined:
    Apr 26, 2008
    Messages:
    2
    For instant Recovery, we re format our servers and change it's password, and fully patched with windows update. still now, no further attack..

    Any help would be grate..
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - 2003 Server Attack
  1. heymrdj
    Replies:
    0
    Views:
    205
  2. bobsteamer
    Replies:
    3
    Views:
    2,785
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/707393