Results 1 to 9 of 9
Thread: 18 Boxes Comprimised
06-24-2005, 03:18 AM #1InternetArmyGuest
18 Boxes Comprimised
I spent most of my day today patching up windows boxes. Seems like a warez crew infaltrated 18 of our windows boxes. All the boxes had the latest service packs and had all the latest security fixes. They got file access to the box through some security vulnerability somewhere and setup an ftp server and loaded the boxes all up with warez.
Good thing was they didnt load any root kits onto the boxes or anything. So we were able to find the modifications rather easily and secure the servers. Funny thing is, some of our boxes were taken as early as april without us noticing. Multiple data center locations too. Virginia, Texas, New York and California.
We are finding out that alot of other people have been exploited as well. If you have any windows 2003 servers, make sure you firewall it. Otherwise you are vulnerable even with all the latest patches and service packs.
The crew specifically loads their warez into the following location;
The directory path wont be visible unless you go directly to the path.
In addition, they load up a few files in the system32 directory.
There are also some misc ini anbd log files that servuftp generates too. Basically the crew doesnt want to hurt your server because they want to go undetected so they can leech your bandwidth. We got rid of them by simply removing their running processes and deleting the files and all the warez they loaded up. Then, we had to firewall all the boxes to lock all the OS ports other than the neccessary ones the boxes were being used for.
Lesson learned... dont leave a windows box not firewalled even if it is solid with updates
Anyway I thought I would share because we are finding alot of other people infected as well.
07-12-2005, 06:07 AM #2TheNetCodeGuest
Why people do that is beyond belief. It is unthinkable to me that someone would do such a thing, but as we know they do worse than this if they can. Good luck with trying to get your servers back up and running smoothly. I hope they do not make another attack on you.
07-19-2005, 09:43 PM #3barkoGuestOriginally Posted by InternetArmy
Any bozo that runs a Win server (or any server, for that matter) without a firewall is nothing short of plain stupid.
07-23-2005, 12:32 AM #4
- Join Date
- Jul 2005
That's pretty harsh, been a while since I've seen that many servers compromised! Should have safer security on there =/
07-23-2005, 05:57 AM #5RajHuntabGuest
I would make sure you install firewall now, they might have root access anyhow but you just didnt know even know
07-26-2005, 10:00 PM #6
- Join Date
- Mar 2004
I know all about these warez groups. They are called "FXP teams" and they spread Warez around the internet by copying illegal files from one FTP server to another (FXP'ing). They are mostly scriptkiddies and are hated by the real "warez people" (rls'rs, also called the release scene). Those scriptkiddies store files in those directories because they are hard to find. They mostly use a rootkit containing "Serv-U" and name them like processes (such as svchost.exe) that are not easy to find. There are alot of svchost.exe's running on each Windows box and killing the wrong one will kill your server...
These FXP people are not real hackers, they use existing exploits or autohackers to hack into your machine. The best way to get rid of them is to install Anti-Virus and Firewall applications. Offcourse, updating your box is ALWAYS REQUIRED when running Windows servers. As they mostly use ServU, you might write a script that scans for ServU configuration files (mostly they are hidden by giving them a .dll extension).
Popular methods to hack a Windows server are:
RPC DCOM (port 135, blocking this port with a firewall is a VERY GOOD IDEA!!!)
IIS (several exploits, on port 80 and also the SSL port)
WebDav (same port as IIS)
These are old. I'm not really following these scene anymore too much to find out which exploits they are using lately...
I hope this information will help people to track scriptkiddies.For reliable shared and reseller hosting, visit RadixHosting.
02-10-2006, 08:57 PM #7digitalserversGuest
Were all these servers used for web hosting purpose where many clients have access to ftp accounts, etc? Or were they your personal hosting servers for your company?
02-24-2006, 11:48 PM #8
- Join Date
- Sep 2005
That is too bad. Hopefully all that is worked out now. Luckily we have mostly Linux boxes.AYKsolutions.com
From Shared to Dedicated
Professional. Painless. Polite.
02-28-2006, 06:27 AM #9
- Join Date
- Feb 2006
I still dont get why people hack boxes. Don't they have something better todo then waste our money.