Explanation & remedy for Web-based Attack

pts.
Tags:
Access control
Application security
backdoors
Browsers
configuration
Current threats
Database
Encryption
filtering
Firewalls
Forensics
Hacking
human factors
Incident response
Instant Messaging
Intrusion management
Microsoft Exchange
Network security
patching
PEN testing
Platform Security
Secure Coding
Security
Servers
Spyware
SSL/TLS
Trojans
Viruses
VPN
vulnerability management
Web security
Wireless
worms
Fully Patched fresh Windows 2003 with PLESK 7.5.6 Compromised again in 30 minutes after a CLEAN rebuild here is How attack occurs ========================== first we observe service.dll Nadeware.msi in system32 folder and a clone of srv-u FTP had run. then we observe an account named help added to administrators group ! we also found C:Program FilesJavaj2re1.4.2_05 this was not There! but uploaded somehow and then deleted this thing is weird since after each rebuild i did an ACL fix for following files , before bringing any service online, during rebuild and reconfiguration none of the services was active (all ports were closed) explorer.exe, regedit.exe, poledit.exe, taskman.exe, at.exe, cacls.exe, cmd.exe, finger.exe, ftp.exe, nbstat.exe, net.exe, net1.exe, netsh.exe, rcp.exe, regedt32.exe, regini.exe, regsvr32.exe, rexec.exe, rsh.exe, runas.exe, runonce.exe, svrmgr.exe, sysedit.exe, telnet.exe, tftp.exe, tracert.exe, usrmgr.exe, wscript.exe, cscript.exe, exetobin.exe and xcopy.exe where those files are only accessible by only "Administrator" Wscript.Shell , Wscript.Shell.1 , Wscript.Network Wscript.Network.1 removed. And all critical folders were properly configured where those directories are only accessible by only "System" and "Administrator". Can someone (with high .NET security knowledge) clarify how such an attack occured and what precautions should be taken to prevent it from happening again?

Answer Wiki

Thanks. We'll let you know when a new response is added.

Is your machine open to the Internet? What protections do you load onto it? How is it firewalled? In short, what kind of access is available?

An unprotected machine facing the Interet can become infected in 15 minutes according to reports I have read. You need to provide protections to avoid tis from happening.

Firewall teh machine, opening only the ports needed for the type of machine it is intended to be. If FTP is to be offered, consider how to handle the write option carefully.

A good anti-virtus software also helps to protect the amchine.

If your machine does not have access to the Internet, but is on a network, you have bigger problems because the attacks are coming from within your own network. You’ll need ot root this stuff out of the network, even if it means checking wach machine inthe network. All network access for all machines should be blocked until the culprit machine or machines are found.

\Steve//

Discuss This Question: 1  Reply

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Kinsden
    The best remedy for this is to get rid of Plesk as it is native and MORE friendlier w/ Unix than Windows..my clients have had a couple of web servers using Plesk control panel and all of them, at some point of time, were breached. Since then, they have moved to HELM which is much better (atleast it WAS made for Windows). * Also, if you are using a software based firewall on the server, I would recommend using a hardware f/w as the intruder/cracker would have to cross that first in order to reach your server(s). A software f/w residing on the server brings the cracker more close to the server even though the firewall creates a shield around the base OS. * Deploy a good AV and antiTrojan product - remember an AV product won't ALWAYS detect a trojan. And to make matters worse, most of the modern trojan detectors are unable to detect the rootkits :( * Try to run the 3rd party application services under a service account rather than local system or administrator. * Set the most restrictive permissions on the folders * Don't keep the admin account logged onto the server and use a non-admin account for doing task on the server with the help of secondary logon.
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following