Fully Patched fresh Windows 2003 with PLESK 7.5.6 Compromised again in 30 minutes after a CLEAN rebuild
here is How attack occurs
first we observe service.dll Nadeware.msi in system32 folder and
a clone of srv-u FTP had run.
then we observe an account named help added to administrators group !
we also found C:Program FilesJavaj2re1.4.2_05 this was not There! but uploaded somehow
and then deleted
this thing is weird since after each rebuild i did an ACL fix for following files ,
before bringing any service online, during rebuild and reconfiguration none of the
services was active (all ports were closed)
explorer.exe, regedit.exe, poledit.exe, taskman.exe, at.exe, cacls.exe, cmd.exe,
finger.exe, ftp.exe, nbstat.exe, net.exe, net1.exe, netsh.exe, rcp.exe, regedt32.exe,
regini.exe, regsvr32.exe, rexec.exe, rsh.exe, runas.exe, runonce.exe, svrmgr.exe, sysedit.exe,
telnet.exe, tftp.exe, tracert.exe, usrmgr.exe, wscript.exe, cscript.exe, exetobin.exe and xcopy.exe
where those files are only accessible by only "Administrator"
Wscript.Shell , Wscript.Shell.1 , Wscript.Network Wscript.Network.1 removed.
And all critical folders were properly configured
where those directories are only accessible by only "System" and "Administrator".
Can someone (with high .NET security knowledge) clarify how such an attack occured and what precautions should be taken to prevent it from happening again?
March 7, 2006 12:28 PM
March 16, 2006 6:34 AM