Compromised Server? Anyone recognize the suspect Services?

Hi all,

Note: this is cross-posted on the Server.Security group but there is little
action there.

We lease a non-managed Web Server running AV software but no IDS. It is
Windows 2003 STD which receives automatic nightly Windows Security patches
at
3AM.

When I logged into the RDP console on Monday I saw what looked like a
Password Cracking software running with the name at the top of the window
E-Security. It looks like it had gone through 69,914,496 permutations
already.

Apparently somebody hacked in through a nearly wide open front door, Remote
Desktop on a standard port. Also installed were 2 network packet sniffing
programs PacketX and WinPcap.
I went into Task Manager and killed a program I did not recognize
netman24.exe. I killed it and also saw about 12 instances of
CheckingThread.exe disappear.

I did not want to click the Close button in the program because who knows
what that might have done.

Looking in Services, right under Network Connections there were 3 other
similar services all claiming to be Microsoft.
Network Connections 24
Network Connections 32
Network Connections 64

Doing a search on Microsoft for netman24.exe brought up nothing.
Doing a similar search on Google brought up nothing.
Same for Symantec.

I changed the Startup Option on Network Connections 24 from Automatic to
Manual. I have not gotten rid of those services or programs yet in case they
are valid.

Maybe the connection between netman24.exe being killed and
CheckingThread.exe instances disappearing was coincidental but I don't think
so.

Anyone else seen anything like this or recognize these programs as valid? I
have not yet removed them from the server.

I have since made some changes to re-secure the server. I need to learn how
to quickly set up VPN access using only a remote connection...such that I
can configure it first and then still have access to to the desktop after it
is activated, if that is possible. I don't need an article steeped in theory
and we are not talking active directory, just a standalone Win2003 STD
remote server. So I am looking for a setup that uses only 1 server for both
VPN and Remote Desktop Access. If someone can point me to such an article or
tutorial I will be grateful. I am a software developer under a very tight
schedule, not a trained server manager.



Thanks for any input...

--
"Building a better mouse trap doesn''''t necessarily make it better for the
mouse."

"John Kotuby" wrote:

> Hi all,
>
> Note: this is cross-posted on the Server.Security group but there is little
> action there.
>
> We lease a non-managed Web Server running AV software but no IDS. It is
> Windows 2003 STD which receives automatic nightly Windows Security patches
> at
> 3AM.
>
> When I logged into the RDP console on Monday I saw what looked like a
> Password Cracking software running with the name at the top of the window
> E-Security. It looks like it had gone through 69,914,496 permutations
> already.
>
> Apparently somebody hacked in through a nearly wide open front door, Remote
> Desktop on a standard port. Also installed were 2 network packet sniffing
> programs PacketX and WinPcap.
> I went into Task Manager and killed a program I did not recognize
> netman24.exe. I killed it and also saw about 12 instances of
> CheckingThread.exe disappear.
>
> I did not want to click the Close button in the program because who knows
> what that might have done.
>
> Looking in Services, right under Network Connections there were 3 other
> similar services all claiming to be Microsoft.
> Network Connections 24
> Network Connections 32
> Network Connections 64
>
> Doing a search on Microsoft for netman24.exe brought up nothing.
> Doing a similar search on Google brought up nothing.
> Same for Symantec.
>
> I changed the Startup Option on Network Connections 24 from Automatic to
> Manual. I have not gotten rid of those services or programs yet in case they
> are valid.
>
> Maybe the connection between netman24.exe being killed and
> CheckingThread.exe instances disappearing was coincidental but I don't think
> so.
>
> Anyone else seen anything like this or recognize these programs as valid? I
> have not yet removed them from the server.
>
> I have since made some changes to re-secure the server. I need to learn how
> to quickly set up VPN access using only a remote connection...such that I
> can configure it first and then still have access to to the desktop after it
> is activated, if that is possible. I don't need an article steeped in theory
> and we are not talking active directory, just a standalone Win2003 STD
> remote server. So I am looking for a setup that uses only 1 server for both
> VPN and Remote Desktop Access. If someone can point me to such an article or
> tutorial I will be grateful. I am a software developer under a very tight
> schedule, not a trained server manager.
>
>
>
> Thanks for any input...
>
> --
> "Building a better mouse trap doesn''''t necessarily make it better for the
> mouse."
>
>
Can't help you on VPN, but two steps you have probably already taken are:

1) Don't allow built-in Administrator accounts to use Remote Desktop or
Terminal Services. Create an administrator-privileged account with arbitrary
name and strong password to access the server in this way.

2) Use Admin Tools, Local security settings, Account lockout policy to
lockout for 30mins after 7 login failures

--
Regards,
Newell White

Big thanks on the response Newell!

I will apply your suggestions immediately.
Maybe I will create 2 Login Accounts with Admin/RDP priviledges, just in
case one of them gets locked out.
For some reason I thought that Local Machine policy already defaulted to
lockouts after 3 tries. Obviously that is not the case after what I have
experienced.

"Newell White" <(E-Mail Removed)> wrote in message
news:412A3FB5-1FF5-4668-866E-(E-Mail Removed)...
>
> "John Kotuby" wrote:
>
>> Hi all,
>>
>> Note: this is cross-posted on the Server.Security group but there is
>> little
>> action there.
>>
>> We lease a non-managed Web Server running AV software but no IDS. It is
>> Windows 2003 STD which receives automatic nightly Windows Security
>> patches
>> at
>> 3AM.
>>
>> When I logged into the RDP console on Monday I saw what looked like a
>> Password Cracking software running with the name at the top of the window
>> E-Security. It looks like it had gone through 69,914,496 permutations
>> already.
>>
>> Apparently somebody hacked in through a nearly wide open front door,
>> Remote
>> Desktop on a standard port. Also installed were 2 network packet sniffing
>> programs PacketX and WinPcap.
>> I went into Task Manager and killed a program I did not recognize
>> netman24.exe. I killed it and also saw about 12 instances of
>> CheckingThread.exe disappear.
>>
>> I did not want to click the Close button in the program because who knows
>> what that might have done.
>>
>> Looking in Services, right under Network Connections there were 3 other
>> similar services all claiming to be Microsoft.
>> Network Connections 24
>> Network Connections 32
>> Network Connections 64
>>
>> Doing a search on Microsoft for netman24.exe brought up nothing.
>> Doing a similar search on Google brought up nothing.
>> Same for Symantec.
>>
>> I changed the Startup Option on Network Connections 24 from Automatic to
>> Manual. I have not gotten rid of those services or programs yet in case
>> they
>> are valid.
>>
>> Maybe the connection between netman24.exe being killed and
>> CheckingThread.exe instances disappearing was coincidental but I don't
>> think
>> so.
>>
>> Anyone else seen anything like this or recognize these programs as valid?
>> I
>> have not yet removed them from the server.
>>
>> I have since made some changes to re-secure the server. I need to learn
>> how
>> to quickly set up VPN access using only a remote connection...such that I
>> can configure it first and then still have access to to the desktop after
>> it
>> is activated, if that is possible. I don't need an article steeped in
>> theory
>> and we are not talking active directory, just a standalone Win2003 STD
>> remote server. So I am looking for a setup that uses only 1 server for
>> both
>> VPN and Remote Desktop Access. If someone can point me to such an article
>> or
>> tutorial I will be grateful. I am a software developer under a very tight
>> schedule, not a trained server manager.
>>
>>
>>
>> Thanks for any input...
>>
>> --
>> "Building a better mouse trap doesn''''t necessarily make it better for
>> the
>> mouse."
>>
>>
> Can't help you on VPN, but two steps you have probably already taken are:
>
> 1) Don't allow built-in Administrator accounts to use Remote Desktop or
> Terminal Services. Create an administrator-privileged account with
> arbitrary
> name and strong password to access the server in this way.
>
> 2) Use Admin Tools, Local security settings, Account lockout policy to
> lockout for 30mins after 7 login failures
>
> --
> Regards,
> Newell White
>

I would be surprised if default local security policy was wide open.

The villain may not be trying to log in - could be trying to establish
credentials for a scheduled task or a service - rename the task/service after
each failure and this might reset the lockout count.

What does Event Viewer reveal in the Security log?
--
Newell White


"John Kotuby" wrote:

> Big thanks on the response Newell!
>
> I will apply your suggestions immediately.
> Maybe I will create 2 Login Accounts with Admin/RDP priviledges, just in
> case one of them gets locked out.
> For some reason I thought that Local Machine policy already defaulted to
> lockouts after 3 tries. Obviously that is not the case after what I have
> experienced.
>
> "Newell White" <(E-Mail Removed)> wrote in message
> news:412A3FB5-1FF5-4668-866E-(E-Mail Removed)...
> >
> > "John Kotuby" wrote:
> >
> >> Hi all,
> >>
> >> Note: this is cross-posted on the Server.Security group but there is
> >> little
> >> action there.
> >>
> >> We lease a non-managed Web Server running AV software but no IDS. It is
> >> Windows 2003 STD which receives automatic nightly Windows Security
> >> patches
> >> at
> >> 3AM.
> >>
> >> When I logged into the RDP console on Monday I saw what looked like a
> >> Password Cracking software running with the name at the top of the window
> >> E-Security. It looks like it had gone through 69,914,496 permutations
> >> already.
> >>
> >> Apparently somebody hacked in through a nearly wide open front door,
> >> Remote
> >> Desktop on a standard port. Also installed were 2 network packet sniffing
> >> programs PacketX and WinPcap.
> >> I went into Task Manager and killed a program I did not recognize
> >> netman24.exe. I killed it and also saw about 12 instances of
> >> CheckingThread.exe disappear.
> >>
> >> I did not want to click the Close button in the program because who knows
> >> what that might have done.
> >>
> >> Looking in Services, right under Network Connections there were 3 other
> >> similar services all claiming to be Microsoft.
> >> Network Connections 24
> >> Network Connections 32
> >> Network Connections 64
> >>
> >> Doing a search on Microsoft for netman24.exe brought up nothing.
> >> Doing a similar search on Google brought up nothing.
> >> Same for Symantec.
> >>
> >> I changed the Startup Option on Network Connections 24 from Automatic to
> >> Manual. I have not gotten rid of those services or programs yet in case
> >> they
> >> are valid.
> >>
> >> Maybe the connection between netman24.exe being killed and
> >> CheckingThread.exe instances disappearing was coincidental but I don't
> >> think
> >> so.
> >>
> >> Anyone else seen anything like this or recognize these programs as valid?
> >> I
> >> have not yet removed them from the server.
> >>
> >> I have since made some changes to re-secure the server. I need to learn
> >> how
> >> to quickly set up VPN access using only a remote connection...such that I
> >> can configure it first and then still have access to to the desktop after
> >> it
> >> is activated, if that is possible. I don't need an article steeped in
> >> theory
> >> and we are not talking active directory, just a standalone Win2003 STD
> >> remote server. So I am looking for a setup that uses only 1 server for
> >> both
> >> VPN and Remote Desktop Access. If someone can point me to such an article
> >> or
> >> tutorial I will be grateful. I am a software developer under a very tight
> >> schedule, not a trained server manager.
> >>
> >>
> >>
> >> Thanks for any input...
> >>
> >> --
> >> "Building a better mouse trap doesn''''t necessarily make it better for
> >> the
> >> mouse."
> >>
> >>
> > Can't help you on VPN, but two steps you have probably already taken are:
> >
> > 1) Don't allow built-in Administrator accounts to use Remote Desktop or
> > Terminal Services. Create an administrator-privileged account with
> > arbitrary
> > name and strong password to access the server in this way.
> >
> > 2) Use Admin Tools, Local security settings, Account lockout policy to
> > lockout for 30mins after 7 login failures
> >
> > --
> > Regards,
> > Newell White
> >
>
>
>

Forgot to add, have no netman*.exe on hard drive of our W2k3 std SP2 server,
but this does not have 8-Jan patches yet.

If you can find these files, what is the created and modified date/time? May
be worth checking for all files modified within 2 minutes of this to see what
else you may have.

--
Regards,
Newell White


"Newell White" wrote:

> I would be surprised if default local security policy was wide open.
>
> The villain may not be trying to log in - could be trying to establish
> credentials for a scheduled task or a service - rename the task/service after
> each failure and this might reset the lockout count.
>
> What does Event Viewer reveal in the Security log?
> --
> Newell White
>
>
> "John Kotuby" wrote:
>
> > Big thanks on the response Newell!
> >
> > I will apply your suggestions immediately.
> > Maybe I will create 2 Login Accounts with Admin/RDP priviledges, just in
> > case one of them gets locked out.
> > For some reason I thought that Local Machine policy already defaulted to
> > lockouts after 3 tries. Obviously that is not the case after what I have
> > experienced.
> >
> > "Newell White" <(E-Mail Removed)> wrote in message
> > news:412A3FB5-1FF5-4668-866E-(E-Mail Removed)...
> > >
> > > "John Kotuby" wrote:
> > >
> > >> Hi all,
> > >>
> > >> Note: this is cross-posted on the Server.Security group but there is
> > >> little
> > >> action there.
> > >>
> > >> We lease a non-managed Web Server running AV software but no IDS. It is
> > >> Windows 2003 STD which receives automatic nightly Windows Security
> > >> patches
> > >> at
> > >> 3AM.
> > >>
> > >> When I logged into the RDP console on Monday I saw what looked like a
> > >> Password Cracking software running with the name at the top of the window
> > >> E-Security. It looks like it had gone through 69,914,496 permutations
> > >> already.
> > >>
> > >> Apparently somebody hacked in through a nearly wide open front door,
> > >> Remote
> > >> Desktop on a standard port. Also installed were 2 network packet sniffing
> > >> programs PacketX and WinPcap.
> > >> I went into Task Manager and killed a program I did not recognize
> > >> netman24.exe. I killed it and also saw about 12 instances of
> > >> CheckingThread.exe disappear.
> > >>
> > >> I did not want to click the Close button in the program because who knows
> > >> what that might have done.
> > >>
> > >> Looking in Services, right under Network Connections there were 3 other
> > >> similar services all claiming to be Microsoft.
> > >> Network Connections 24
> > >> Network Connections 32
> > >> Network Connections 64
> > >>
> > >> Doing a search on Microsoft for netman24.exe brought up nothing.
> > >> Doing a similar search on Google brought up nothing.
> > >> Same for Symantec.
> > >>
> > >> I changed the Startup Option on Network Connections 24 from Automatic to
> > >> Manual. I have not gotten rid of those services or programs yet in case
> > >> they
> > >> are valid.
> > >>
> > >> Maybe the connection between netman24.exe being killed and
> > >> CheckingThread.exe instances disappearing was coincidental but I don't
> > >> think
> > >> so.
> > >>
> > >> Anyone else seen anything like this or recognize these programs as valid?
> > >> I
> > >> have not yet removed them from the server.
> > >>
> > >> I have since made some changes to re-secure the server. I need to learn
> > >> how
> > >> to quickly set up VPN access using only a remote connection...such that I
> > >> can configure it first and then still have access to to the desktop after
> > >> it
> > >> is activated, if that is possible. I don't need an article steeped in
> > >> theory
> > >> and we are not talking active directory, just a standalone Win2003 STD
> > >> remote server. So I am looking for a setup that uses only 1 server for
> > >> both
> > >> VPN and Remote Desktop Access. If someone can point me to such an article
> > >> or
> > >> tutorial I will be grateful. I am a software developer under a very tight
> > >> schedule, not a trained server manager.
> > >>
> > >>
> > >>
> > >> Thanks for any input...
> > >>
> > >> --
> > >> "Building a better mouse trap doesn''''t necessarily make it better for
> > >> the
> > >> mouse."
> > >>
> > >>
> > > Can't help you on VPN, but two steps you have probably already taken are:
> > >
> > > 1) Don't allow built-in Administrator accounts to use Remote Desktop or
> > > Terminal Services. Create an administrator-privileged account with
> > > arbitrary
> > > name and strong password to access the server in this way.
> > >
> > > 2) Use Admin Tools, Local security settings, Account lockout policy to
> > > lockout for 30mins after 7 login failures
> > >
> > > --
> > > Regards,
> > > Newell White
> > >
> >
> >
> >

> Apparently somebody hacked in through a nearly wide open front door,
> Remote
> Desktop on a standard port. Also installed were 2 network packet sniffing
> programs PacketX and WinPcap.
> I went into Task Manager and killed a program I did not recognize
> netman24.exe. I killed it and also saw about 12 instances of
> CheckingThread.exe disappear.
>
> I did not want to click the Close button in the program because who knows
> what that might have done.

<Snip>
> Anyone else seen anything like this or recognize these programs as valid?
> I have not yet removed them from the server.
>
> I have since made some changes to re-secure the server.

You *think* you have re-secured the server. There is no way to really be
sure the hacker didn't put in a backdoor that he will have access to once
you "secure" the server again. There is no way to tell if he renamed one of
his files "notepad" and when you try to open it, his file also opens your
server up. You should *really* consider rebuilding this server and restoring
from backups before the breach. There is just no way to tell all he did and
clean up *everything*.

hth
DDS



"John Kotuby" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi all,
>
> Note: this is cross-posted on the Server.Security group but there is
> little action there.
>
> We lease a non-managed Web Server running AV software but no IDS. It is
> Windows 2003 STD which receives automatic nightly Windows Security patches
> at
> 3AM.
>
> When I logged into the RDP console on Monday I saw what looked like a
> Password Cracking software running with the name at the top of the window
> E-Security. It looks like it had gone through 69,914,496 permutations
> already.
>
> Apparently somebody hacked in through a nearly wide open front door,
> Remote
> Desktop on a standard port. Also installed were 2 network packet sniffing
> programs PacketX and WinPcap.
> I went into Task Manager and killed a program I did not recognize
> netman24.exe. I killed it and also saw about 12 instances of
> CheckingThread.exe disappear.
>
> I did not want to click the Close button in the program because who knows
> what that might have done.
>
> Looking in Services, right under Network Connections there were 3 other
> similar services all claiming to be Microsoft.
> Network Connections 24
> Network Connections 32
> Network Connections 64
>
> Doing a search on Microsoft for netman24.exe brought up nothing.
> Doing a similar search on Google brought up nothing.
> Same for Symantec.
>
> I changed the Startup Option on Network Connections 24 from Automatic to
> Manual. I have not gotten rid of those services or programs yet in case
> they
> are valid.
>
> Maybe the connection between netman24.exe being killed and
> CheckingThread.exe instances disappearing was coincidental but I don't
> think
> so.
>
> Anyone else seen anything like this or recognize these programs as valid?
> I have not yet removed them from the server.
>
> I have since made some changes to re-secure the server. I need to learn
> how
> to quickly set up VPN access using only a remote connection...such that I
> can configure it first and then still have access to to the desktop after
> it
> is activated, if that is possible. I don't need an article steeped in
> theory
> and we are not talking active directory, just a standalone Win2003 STD
> remote server. So I am looking for a setup that uses only 1 server for
> both
> VPN and Remote Desktop Access. If someone can point me to such an article
> or
> tutorial I will be grateful. I am a software developer under a very tight
> schedule, not a trained server manager.
>
>
>
> Thanks for any input...
>
> --
> "Building a better mouse trap doesn''''t necessarily make it better for
> the
> mouse."
>
>
>

Newell...

Note below that the created date on the netman24.exe file is Jan 6 2008
1:44PM.

Event viewer shows normal logins, but I did not have it set to record failed
logins. I have changed that.
However, there are a bunch of logins for Website Accounts created by the
Plesk control panel. The login accounts are for web sites that are on the
machine but I did not think were being used since over a year ago. I did
give a consultant FTP login info for those sites. Howeveer, hwo could and
FTP login explain the programs that were definitely installed, and not by
me. Forunately the packet sniffer programs showed up at the bottom of the
Start/Programs listing.
That is why I am assuming desktop access.

There are also a number of account logins by the Plesk Administrator
account. I have not used the Plesk Control panel in a few months at least.

I think I will just get rid of all extraneous accounts. Server management is
certainly not my forte.

I did a search on one of my Windows servers in the office here that has been
patched on January 9 and find no netman*.exe either. However, in order to
find those files on the Web Server I had to make sure that System folders
were being searched.

The file on the compromised server is found in C:\Windows\system32\drivers
of all places. This is another indication of a rogue file. I got a message
from a friend that said any file named netman*.exe is suspicious.

There was also another file located there "netman24.def" with the contents:
<?xml version="1.0" encoding="UTF-8"?>
<luxibe name="Netman24" displayName="Network Connections 24"
description="Manages objects in the Network and Dial-Up Connections folder,
in which you can view both local area network and remote connections."
binary="netman24.exe" startup="Automatic" desktopInteract="no" dependenOn=""
antecedentOn=""/>

Which is basically the same info that showed up in the Services area.

Right-clicking properties on netman24.exe shows:
Created - Sunday Jan 6 2008 1:44 PM (must have been Pacific time as the
server is on the west coast of US)
Company - Microsoft Corporation
Version - 5.01.0026

However, as i mentioned a search for netman24.exe on Microsoft brought up
nothing.
Anyone who compiled the exe could have placed that Microsoft Corportation
info there.

I am trying to figure out a way to get rid of the files without completely
destroying them and maybe submit to Symantec. Maybe I will just rename the
files, download them to my local FTP server, place them on a CD and then
delete.

Thanks for all yhour help.

"Newell White" <(E-Mail Removed)> wrote in message
news:8E950548-8BB7-4E92-AFBF-(E-Mail Removed)...
> Forgot to add, have no netman*.exe on hard drive of our W2k3 std SP2
> server,
> but this does not have 8-Jan patches yet.
>
> If you can find these files, what is the created and modified date/time?
> May
> be worth checking for all files modified within 2 minutes of this to see
> what
> else you may have.
>
> --
> Regards,
> Newell White
>
>
> "Newell White" wrote:
>
>> I would be surprised if default local security policy was wide open.
>>
>> The villain may not be trying to log in - could be trying to establish
>> credentials for a scheduled task or a service - rename the task/service
>> after
>> each failure and this might reset the lockout count.
>>
>> What does Event Viewer reveal in the Security log?
>> --
>> Newell White
>>
>>
>> "John Kotuby" wrote:
>>
>> > Big thanks on the response Newell!
>> >
>> > I will apply your suggestions immediately.
>> > Maybe I will create 2 Login Accounts with Admin/RDP priviledges, just
>> > in
>> > case one of them gets locked out.
>> > For some reason I thought that Local Machine policy already defaulted
>> > to
>> > lockouts after 3 tries. Obviously that is not the case after what I
>> > have
>> > experienced.
>> >
>> > "Newell White" <(E-Mail Removed)> wrote in message
>> > news:412A3FB5-1FF5-4668-866E-(E-Mail Removed)...
>> > >
>> > > "John Kotuby" wrote:
>> > >
>> > >> Hi all,
>> > >>
>> > >> Note: this is cross-posted on the Server.Security group but there is
>> > >> little
>> > >> action there.
>> > >>
>> > >> We lease a non-managed Web Server running AV software but no IDS. It
>> > >> is
>> > >> Windows 2003 STD which receives automatic nightly Windows Security
>> > >> patches
>> > >> at
>> > >> 3AM.
>> > >>
>> > >> When I logged into the RDP console on Monday I saw what looked like
>> > >> a
>> > >> Password Cracking software running with the name at the top of the
>> > >> window
>> > >> E-Security. It looks like it had gone through 69,914,496
>> > >> permutations
>> > >> already.
>> > >>
>> > >> Apparently somebody hacked in through a nearly wide open front door,
>> > >> Remote
>> > >> Desktop on a standard port. Also installed were 2 network packet
>> > >> sniffing
>> > >> programs PacketX and WinPcap.
>> > >> I went into Task Manager and killed a program I did not recognize
>> > >> netman24.exe. I killed it and also saw about 12 instances of
>> > >> CheckingThread.exe disappear.
>> > >>
>> > >> I did not want to click the Close button in the program because who
>> > >> knows
>> > >> what that might have done.
>> > >>
>> > >> Looking in Services, right under Network Connections there were 3
>> > >> other
>> > >> similar services all claiming to be Microsoft.
>> > >> Network Connections 24
>> > >> Network Connections 32
>> > >> Network Connections 64
>> > >>
>> > >> Doing a search on Microsoft for netman24.exe brought up nothing.
>> > >> Doing a similar search on Google brought up nothing.
>> > >> Same for Symantec.
>> > >>
>> > >> I changed the Startup Option on Network Connections 24 from
>> > >> Automatic to
>> > >> Manual. I have not gotten rid of those services or programs yet in
>> > >> case
>> > >> they
>> > >> are valid.
>> > >>
>> > >> Maybe the connection between netman24.exe being killed and
>> > >> CheckingThread.exe instances disappearing was coincidental but I
>> > >> don't
>> > >> think
>> > >> so.
>> > >>
>> > >> Anyone else seen anything like this or recognize these programs as
>> > >> valid?
>> > >> I
>> > >> have not yet removed them from the server.
>> > >>
>> > >> I have since made some changes to re-secure the server. I need to
>> > >> learn
>> > >> how
>> > >> to quickly set up VPN access using only a remote connection...such
>> > >> that I
>> > >> can configure it first and then still have access to to the desktop
>> > >> after
>> > >> it
>> > >> is activated, if that is possible. I don't need an article steeped
>> > >> in
>> > >> theory
>> > >> and we are not talking active directory, just a standalone Win2003
>> > >> STD
>> > >> remote server. So I am looking for a setup that uses only 1 server
>> > >> for
>> > >> both
>> > >> VPN and Remote Desktop Access. If someone can point me to such an
>> > >> article
>> > >> or
>> > >> tutorial I will be grateful. I am a software developer under a very
>> > >> tight
>> > >> schedule, not a trained server manager.
>> > >>
>> > >>
>> > >>
>> > >> Thanks for any input...
>> > >>
>> > >> --
>> > >> "Building a better mouse trap doesn''''t necessarily make it better
>> > >> for
>> > >> the
>> > >> mouse."
>> > >>
>> > >>
>> > > Can't help you on VPN, but two steps you have probably already taken
>> > > are:
>> > >
>> > > 1) Don't allow built-in Administrator accounts to use Remote Desktop
>> > > or
>> > > Terminal Services. Create an administrator-privileged account with
>> > > arbitrary
>> > > name and strong password to access the server in this way.
>> > >
>> > > 2) Use Admin Tools, Local security settings, Account lockout policy
>> > > to
>> > > lockout for 30mins after 7 login failures
>> > >
>> > > --
>> > > Regards,
>> > > Newell White
>> > >
>> >
>> >
>> >

Update...
I finally discovered that there was a whole folder structure under
windows\system32\drivers. Inside one of the folders was a program called
SYNattacker.exe by a Chinese company;

Nygen Hoang Informatics

There was also an XML file with target= <a certain website>

I have located the owner of the website using Whois from Network Solutions

"John Kotuby" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Newell...
>
> Note below that the created date on the netman24.exe file is Jan 6 2008
> 1:44PM.
>
> Event viewer shows normal logins, but I did not have it set to record
> failed logins. I have changed that.
> However, there are a bunch of logins for Website Accounts created by the
> Plesk control panel. The login accounts are for web sites that are on the
> machine but I did not think were being used since over a year ago. I did
> give a consultant FTP login info for those sites. Howeveer, hwo could and
> FTP login explain the programs that were definitely installed, and not by
> me. Forunately the packet sniffer programs showed up at the bottom of the
> Start/Programs listing.
> That is why I am assuming desktop access.
>
> There are also a number of account logins by the Plesk Administrator
> account. I have not used the Plesk Control panel in a few months at least.
>
> I think I will just get rid of all extraneous accounts. Server management
> is certainly not my forte.
>
> I did a search on one of my Windows servers in the office here that has
> been patched on January 9 and find no netman*.exe either. However, in
> order to find those files on the Web Server I had to make sure that System
> folders were being searched.
>
> The file on the compromised server is found in C:\Windows\system32\drivers
> of all places. This is another indication of a rogue file. I got a message
> from a friend that said any file named netman*.exe is suspicious.
>
> There was also another file located there "netman24.def" with the
> contents:
> <?xml version="1.0" encoding="UTF-8"?>
> <luxibe name="Netman24" displayName="Network Connections 24"
> description="Manages objects in the Network and Dial-Up Connections
> folder, in which you can view both local area network and remote
> connections." binary="netman24.exe" startup="Automatic"
> desktopInteract="no" dependenOn="" antecedentOn=""/>
>
> Which is basically the same info that showed up in the Services area.
>
> Right-clicking properties on netman24.exe shows:
> Created - Sunday Jan 6 2008 1:44 PM (must have been Pacific time as the
> server is on the west coast of US)
> Company - Microsoft Corporation
> Version - 5.01.0026
>
> However, as i mentioned a search for netman24.exe on Microsoft brought up
> nothing.
> Anyone who compiled the exe could have placed that Microsoft Corportation
> info there.
>
> I am trying to figure out a way to get rid of the files without completely
> destroying them and maybe submit to Symantec. Maybe I will just rename the
> files, download them to my local FTP server, place them on a CD and then
> delete.
>
> Thanks for all yhour help.
>
> "Newell White" <(E-Mail Removed)> wrote in message
> news:8E950548-8BB7-4E92-AFBF-(E-Mail Removed)...
>> Forgot to add, have no netman*.exe on hard drive of our W2k3 std SP2
>> server,
>> but this does not have 8-Jan patches yet.
>>
>> If you can find these files, what is the created and modified date/time?
>> May
>> be worth checking for all files modified within 2 minutes of this to see
>> what
>> else you may have.
>>
>> --
>> Regards,
>> Newell White
>>
>>
>> "Newell White" wrote:
>>
>>> I would be surprised if default local security policy was wide open.
>>>
>>> The villain may not be trying to log in - could be trying to establish
>>> credentials for a scheduled task or a service - rename the task/service
>>> after
>>> each failure and this might reset the lockout count.
>>>
>>> What does Event Viewer reveal in the Security log?
>>> --
>>> Newell White
>>>
>>>
>>> "John Kotuby" wrote:
>>>
>>> > Big thanks on the response Newell!
>>> >
>>> > I will apply your suggestions immediately.
>>> > Maybe I will create 2 Login Accounts with Admin/RDP priviledges, just
>>> > in
>>> > case one of them gets locked out.
>>> > For some reason I thought that Local Machine policy already defaulted
>>> > to
>>> > lockouts after 3 tries. Obviously that is not the case after what I
>>> > have
>>> > experienced.
>>> >
>>> > "Newell White" <(E-Mail Removed)> wrote in
>>> > message
>>> > news:412A3FB5-1FF5-4668-866E-(E-Mail Removed)...
>>> > >
>>> > > "John Kotuby" wrote:
>>> > >
>>> > >> Hi all,
>>> > >>
>>> > >> Note: this is cross-posted on the Server.Security group but there
>>> > >> is
>>> > >> little
>>> > >> action there.
>>> > >>
>>> > >> We lease a non-managed Web Server running AV software but no IDS.
>>> > >> It is
>>> > >> Windows 2003 STD which receives automatic nightly Windows Security
>>> > >> patches
>>> > >> at
>>> > >> 3AM.
>>> > >>
>>> > >> When I logged into the RDP console on Monday I saw what looked like
>>> > >> a
>>> > >> Password Cracking software running with the name at the top of the
>>> > >> window
>>> > >> E-Security. It looks like it had gone through 69,914,496
>>> > >> permutations
>>> > >> already.
>>> > >>
>>> > >> Apparently somebody hacked in through a nearly wide open front
>>> > >> door,
>>> > >> Remote
>>> > >> Desktop on a standard port. Also installed were 2 network packet
>>> > >> sniffing
>>> > >> programs PacketX and WinPcap.
>>> > >> I went into Task Manager and killed a program I did not recognize
>>> > >> netman24.exe. I killed it and also saw about 12 instances of
>>> > >> CheckingThread.exe disappear.
>>> > >>
>>> > >> I did not want to click the Close button in the program because who
>>> > >> knows
>>> > >> what that might have done.
>>> > >>
>>> > >> Looking in Services, right under Network Connections there were 3
>>> > >> other
>>> > >> similar services all claiming to be Microsoft.
>>> > >> Network Connections 24
>>> > >> Network Connections 32
>>> > >> Network Connections 64
>>> > >>
>>> > >> Doing a search on Microsoft for netman24.exe brought up nothing.
>>> > >> Doing a similar search on Google brought up nothing.
>>> > >> Same for Symantec.
>>> > >>
>>> > >> I changed the Startup Option on Network Connections 24 from
>>> > >> Automatic to
>>> > >> Manual. I have not gotten rid of those services or programs yet in
>>> > >> case
>>> > >> they
>>> > >> are valid.
>>> > >>
>>> > >> Maybe the connection between netman24.exe being killed and
>>> > >> CheckingThread.exe instances disappearing was coincidental but I
>>> > >> don't
>>> > >> think
>>> > >> so.
>>> > >>
>>> > >> Anyone else seen anything like this or recognize these programs as
>>> > >> valid?
>>> > >> I
>>> > >> have not yet removed them from the server.
>>> > >>
>>> > >> I have since made some changes to re-secure the server. I need to
>>> > >> learn
>>> > >> how
>>> > >> to quickly set up VPN access using only a remote connection...such
>>> > >> that I
>>> > >> can configure it first and then still have access to to the desktop
>>> > >> after
>>> > >> it
>>> > >> is activated, if that is possible. I don't need an article steeped
>>> > >> in
>>> > >> theory
>>> > >> and we are not talking active directory, just a standalone Win2003
>>> > >> STD
>>> > >> remote server. So I am looking for a setup that uses only 1 server
>>> > >> for
>>> > >> both
>>> > >> VPN and Remote Desktop Access. If someone can point me to such an
>>> > >> article
>>> > >> or
>>> > >> tutorial I will be grateful. I am a software developer under a very
>>> > >> tight
>>> > >> schedule, not a trained server manager.
>>> > >>
>>> > >>
>>> > >>
>>> > >> Thanks for any input...
>>> > >>
>>> > >> --
>>> > >> "Building a better mouse trap doesn''''t necessarily make it better
>>> > >> for
>>> > >> the
>>> > >> mouse."
>>> > >>
>>> > >>
>>> > > Can't help you on VPN, but two steps you have probably already taken
>>> > > are:
>>> > >
>>> > > 1) Don't allow built-in Administrator accounts to use Remote Desktop
>>> > > or
>>> > > Terminal Services. Create an administrator-privileged account with
>>> > > arbitrary
>>> > > name and strong password to access the server in this way.
>>> > >
>>> > > 2) Use Admin Tools, Local security settings, Account lockout policy
>>> > > to
>>> > > lockout for 30mins after 7 login failures
>>> > >
>>> > > --
>>> > > Regards,
>>> > > Newell White
>>> > >
>>> >
>>> >
>>> >
>
>

Thanks Danny...

You are indeed correct. You will see an update post from me on what else I
have since discovered.
Wow, a tough lesson to learn.


"Danny Sanders" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>> Apparently somebody hacked in through a nearly wide open front door,
>> Remote
>> Desktop on a standard port. Also installed were 2 network packet sniffing
>> programs PacketX and WinPcap.
>> I went into Task Manager and killed a program I did not recognize
>> netman24.exe. I killed it and also saw about 12 instances of
>> CheckingThread.exe disappear.
>>
>> I did not want to click the Close button in the program because who knows
>> what that might have done.
>
> <Snip>
>> Anyone else seen anything like this or recognize these programs as valid?
>> I have not yet removed them from the server.
>>
>> I have since made some changes to re-secure the server.
>
> You *think* you have re-secured the server. There is no way to really be
> sure the hacker didn't put in a backdoor that he will have access to once
> you "secure" the server again. There is no way to tell if he renamed one
> of his files "notepad" and when you try to open it, his file also opens
> your server up. You should *really* consider rebuilding this server and
> restoring from backups before the breach. There is just no way to tell all
> he did and clean up *everything*.
>
> hth
> DDS
>
>
>
> "John Kotuby" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Hi all,
>>
>> Note: this is cross-posted on the Server.Security group but there is
>> little action there.
>>
>> We lease a non-managed Web Server running AV software but no IDS. It is
>> Windows 2003 STD which receives automatic nightly Windows Security
>> patches
>> at
>> 3AM.
>>
>> When I logged into the RDP console on Monday I saw what looked like a
>> Password Cracking software running with the name at the top of the window
>> E-Security. It looks like it had gone through 69,914,496 permutations
>> already.
>>
>> Apparently somebody hacked in through a nearly wide open front door,
>> Remote
>> Desktop on a standard port. Also installed were 2 network packet sniffing
>> programs PacketX and WinPcap.
>> I went into Task Manager and killed a program I did not recognize
>> netman24.exe. I killed it and also saw about 12 instances of
>> CheckingThread.exe disappear.
>>
>> I did not want to click the Close button in the program because who knows
>> what that might have done.
>>
>> Looking in Services, right under Network Connections there were 3 other
>> similar services all claiming to be Microsoft.
>> Network Connections 24
>> Network Connections 32
>> Network Connections 64
>>
>> Doing a search on Microsoft for netman24.exe brought up nothing.
>> Doing a similar search on Google brought up nothing.
>> Same for Symantec.
>>
>> I changed the Startup Option on Network Connections 24 from Automatic to
>> Manual. I have not gotten rid of those services or programs yet in case
>> they
>> are valid.
>>
>> Maybe the connection between netman24.exe being killed and
>> CheckingThread.exe instances disappearing was coincidental but I don't
>> think
>> so.
>>
>> Anyone else seen anything like this or recognize these programs as valid?
>> I have not yet removed them from the server.
>>
>> I have since made some changes to re-secure the server. I need to learn
>> how
>> to quickly set up VPN access using only a remote connection...such that I
>> can configure it first and then still have access to to the desktop after
>> it
>> is activated, if that is possible. I don't need an article steeped in
>> theory
>> and we are not talking active directory, just a standalone Win2003 STD
>> remote server. So I am looking for a setup that uses only 1 server for
>> both
>> VPN and Remote Desktop Access. If someone can point me to such an article
>> or
>> tutorial I will be grateful. I am a software developer under a very tight
>> schedule, not a trained server manager.
>>
>>
>>
>> Thanks for any input...
>>
>> --
>> "Building a better mouse trap doesn''''t necessarily make it better for
>> the
>> mouse."
>>
>>
>>
>
>

"John Kotuby" wrote:

> Update...
> I finally discovered that there was a whole folder structure under
> windows\system32\drivers. Inside one of the folders was a program called
> SYNattacker.exe by a Chinese company;
>
> Nygen Hoang Informatics
>
> There was also an XML file with target= <a certain website>
>
> I have located the owner of the website using Whois from Network Solutions
>
> "John Kotuby" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
> > Newell...
> >
> > Note below that the created date on the netman24.exe file is Jan 6 2008
> > 1:44PM.
> >
> > Event viewer shows normal logins, but I did not have it set to record
> > failed logins. I have changed that.
> > However, there are a bunch of logins for Website Accounts created by the
> > Plesk control panel. The login accounts are for web sites that are on the
> > machine but I did not think were being used since over a year ago. I did
> > give a consultant FTP login info for those sites. Howeveer, hwo could and
> > FTP login explain the programs that were definitely installed, and not by
> > me. Forunately the packet sniffer programs showed up at the bottom of the
> > Start/Programs listing.
> > That is why I am assuming desktop access.
> >
> > There are also a number of account logins by the Plesk Administrator
> > account. I have not used the Plesk Control panel in a few months at least.
> >
> > I think I will just get rid of all extraneous accounts. Server management
> > is certainly not my forte.
> >
> > I did a search on one of my Windows servers in the office here that has
> > been patched on January 9 and find no netman*.exe either. However, in
> > order to find those files on the Web Server I had to make sure that System
> > folders were being searched.
> >
> > The file on the compromised server is found in C:\Windows\system32\drivers
> > of all places. This is another indication of a rogue file. I got a message
> > from a friend that said any file named netman*.exe is suspicious.
> >
> > There was also another file located there "netman24.def" with the
> > contents:
> > <?xml version="1.0" encoding="UTF-8"?>
> > <luxibe name="Netman24" displayName="Network Connections 24"
> > description="Manages objects in the Network and Dial-Up Connections
> > folder, in which you can view both local area network and remote
> > connections." binary="netman24.exe" startup="Automatic"
> > desktopInteract="no" dependenOn="" antecedentOn=""/>
> >
> > Which is basically the same info that showed up in the Services area.
> >
> > Right-clicking properties on netman24.exe shows:
> > Created - Sunday Jan 6 2008 1:44 PM (must have been Pacific time as the
> > server is on the west coast of US)
> > Company - Microsoft Corporation
> > Version - 5.01.0026
> >
> > However, as i mentioned a search for netman24.exe on Microsoft brought up
> > nothing.
> > Anyone who compiled the exe could have placed that Microsoft Corportation
> > info there.
> >
> > I am trying to figure out a way to get rid of the files without completely
> > destroying them and maybe submit to Symantec. Maybe I will just rename the
> > files, download them to my local FTP server, place them on a CD and then
> > delete.
> >
> > Thanks for all yhour help.
> >
<snip>
In general you don't have to delete malware - renaming it to
zzx_originalname thwarts the start-up mechanism.
But of course the bad guys may have installed another program to copy a .jpg
or something and rename it to originalname.exe whenever that goes missing.

If a web-surfer is victim of a drive-by, then all of these files are
downloaded within the 2-minute interval I mentioned.
But in your case the bad guys have had opportunities for multiple accesses
over a period of time, and Danny Sanders is spot-on.

A driving analogy - the PC is a motorbike (on which you can get yourself
hurt), a server (particularly a public one) is a big truck which can hurt
many.

By the way, e-securityseems to be a legit program to co-ordinate
packet-sniffers etc. and report results - therefore a good recce tool for
villains.

--
Regards,
Newell White