Trojan attacks - useful resources - ideas please

Folks,

Several of my Win2K/SQL server systems have been trojaned to various
degrees over the last week or two - mostly ass*oles installing serv-u
FTP server, but a few have had the administrator password changed
(lovely!) - there seems to have been an increase in such activity over
the least 2 weeks or it is just my bad luck?

All servers are patched to the hilt as far as Win2K, SQL server and MSIE
are concerned and I'm trying to convince the powers that be to move
everyone over to FireFox (and Linux if I had my way!). Every site has a
firewall/NAT router and I'm currently looking at the blocking rules for
them to tighten things further.

Most of the trojans seem to pass by Symantec AV (Corporate) and some
sneak past Grisoft AVG7 - what's been useful is TrojanHunter, SpybotS&D,
AdAware, port monitoring tools from sysinternals and my own snooping
around processes, noticing suspicious files that have turned up on the
system and checking open ports etc.

OK, here's the main questions:

1) Can you recommend any good Web sites/newsgroups among the tons that
turn up in a Goole search where I might find some useful forums
discussing trojans, removal, security and current threats.

2) What tools are you using to check for open ports, remote connections,
monitor logins etc.? - I have a few I've been using, but any insight
would be grateful.

3) Is there a handy tool that can email me when a user logs in/out
and/or a service is stopped/started etc.? This would help me monitor all
the (14) sites. I am running Nagios for general server/broadband health
monitoring and I'm just going to have a read up to see if it can also
send such alerts so Nagios gurus are welcome to help me out here!

Thanks

L3K

> 1) Can you recommend any good Web sites/newsgroups among the tons that
> turn up in a Goole search where I might find some useful forums
> discussing trojans, removal, security and current threats.

www.astalavista.box.sk

--
Please add "[newsgroup]" in the subject of any personal replies via email
--- My new email address has "ngspamtrap" & @btinternet.com in it ;-) ---

On Fri, 10 Dec 2004 12:43:50 +0000 (UTC), Linker3000
<(E-Mail Removed)> wrote:

>Folks,
>
>Several of my Win2K/SQL server systems have been trojaned to various
>degrees over the last week or two - mostly ass*oles installing serv-u
>FTP server, but a few have had the administrator password changed
>(lovely!) - there seems to have been an increase in such activity over
>the least 2 weeks or it is just my bad luck?

No, its chronic stupidity on your part for directly exposing ports
1433/1434 to the Internet.

There is absolutely *no* reason to directly expose a database server on a
routed Internet connection.

Zero,
None,
Nada,
Zilch,
SFA

Did Slammer not teach you anything ?

>All servers are patched to the hilt as far as Win2K, SQL server and MSIE
>are concerned and I'm trying to convince the powers that be to move
>everyone over to FireFox (and Linux if I had my way!).

That wont save them from your obvious lack of clue.

It's not difficult to harden win2k to same level as the alternatives.
It's not rocket science to design infrastructure such that you do *not*
expose business critical infrastructure to the Internet.

Any design which requires you to put a database server directly on the
Internet is so flawed it warrants zero further consideration.

Any business which would sign off on such, deserves to go tits up.


greg
--
Yeah - straight from the top of my dome
As I rock, rock, rock, rock, rock the microphone

On Fri, 10 Dec 2004 12:43:50 +0000 (UTC), [Linker3000] said :-

>Folks,
>
>Several of my Win2K/SQL server systems have been trojaned to various
>degrees over the last week or two - mostly ass*oles installing serv-u
>FTP server, but a few have had the administrator password changed
>(lovely!) - there seems to have been an increase in such activity over
>the least 2 weeks or it is just my bad luck?
>
>All servers are patched to the hilt as far as Win2K, SQL server and MSIE
>are concerned and I'm trying to convince the powers that be to move
>everyone over to FireFox (and Linux if I had my way!). Every site has a
>firewall/NAT router and I'm currently looking at the blocking rules for
>them to tighten things further.
>
>Most of the trojans seem to pass by Symantec AV (Corporate) and some
>sneak past Grisoft AVG7 - what's been useful is TrojanHunter, SpybotS&D,
>AdAware, port monitoring tools from sysinternals and my own snooping
>around processes, noticing suspicious files that have turned up on the
>system and checking open ports etc.
>
>OK, here's the main questions:
>
>1) Can you recommend any good Web sites/newsgroups among the tons that
>turn up in a Goole search where I might find some useful forums
>discussing trojans, removal, security and current threats.
>
>2) What tools are you using to check for open ports, remote connections,
>monitor logins etc.? - I have a few I've been using, but any insight
>would be grateful.
>
>3) Is there a handy tool that can email me when a user logs in/out
>and/or a service is stopped/started etc.? This would help me monitor all
>the (14) sites. I am running Nagios for general server/broadband health
>monitoring and I'm just going to have a read up to see if it can also
>send such alerts so Nagios gurus are welcome to help me out here!
>
>Thanks
>
>L3K


Are you serious ?

If so - employ someone who knows what they are doing, this is frankly
appalling.


I'm surprised your connection hasn't been suspended via your ISP by
gross stupidity and incompetence - or even been cancelled for being a
spam zombie.

Greg Hennessy wrote:
> On Fri, 10 Dec 2004 12:43:50 +0000 (UTC), Linker3000
> <(E-Mail Removed)> wrote:
>
>
>>Folks,
>>
>>Several of my Win2K/SQL server systems have been trojaned to various
>>degrees over the last week or two - mostly ass*oles installing serv-u
>>FTP server, but a few have had the administrator password changed
>>(lovely!) - there seems to have been an increase in such activity over
>>the least 2 weeks or it is just my bad luck?
>
>
> No, its chronic stupidity on your part for directly exposing ports
> 1433/1434 to the Internet.
>
> There is absolutely *no* reason to directly expose a database server on a
> routed Internet connection.
>
> Zero,
> None,
> Nada,
> Zilch,
> SFA
>
> Did Slammer not teach you anything ?
>
>
>>All servers are patched to the hilt as far as Win2K, SQL server and MSIE
>>are concerned and I'm trying to convince the powers that be to move
>>everyone over to FireFox (and Linux if I had my way!).
>
>
> That wont save them from your obvious lack of clue.
>
> It's not difficult to harden win2k to same level as the alternatives.
> It's not rocket science to design infrastructure such that you do *not*
> expose business critical infrastructure to the Internet.
>
> Any design which requires you to put a database server directly on the
> Internet is so flawed it warrants zero further consideration.
>
> Any business which would sign off on such, deserves to go tits up.
>
>
> greg

Thanks for the pointless response based on your complete lack of
knowledge of my circumstances - for your information:

Unfortunately I inherited this setup when I joined the company 6 months
ago and I have voiced my concerns about it on numerous occasions.

We have a stupid number of SQL servers (14) replicating in clusters to
regional master databases and then these replicate to one master
database at HQ. I agree it's absurd but my hands are tied by historic
decisions and also the fact that the people who wrote and support the
front end app are so crap at database design and security that whenever
I bring up the subject of a more secure architecture they raise all
sorts of sumb-ass objections as to why it can't be done that the powers
that be in my organisation get cold feet and shy away from doing
anything about it.

Now, if you have anything USEFUL to add please go ahead....

L3K

Spin Dryer wrote:
> On Fri, 10 Dec 2004 12:43:50 +0000 (UTC), [Linker3000] said :-
>
>
>>Folks,
>>
>>Several of my Win2K/SQL server systems have been trojaned to various
>>degrees over the last week or two - mostly ass*oles installing serv-u
>>FTP server, but a few have had the administrator password changed
>>(lovely!) - there seems to have been an increase in such activity over
>>the least 2 weeks or it is just my bad luck?
>>
>>All servers are patched to the hilt as far as Win2K, SQL server and MSIE
>>are concerned and I'm trying to convince the powers that be to move
>>everyone over to FireFox (and Linux if I had my way!). Every site has a
>>firewall/NAT router and I'm currently looking at the blocking rules for
>>them to tighten things further.
>>
>>Most of the trojans seem to pass by Symantec AV (Corporate) and some
>>sneak past Grisoft AVG7 - what's been useful is TrojanHunter, SpybotS&D,
>>AdAware, port monitoring tools from sysinternals and my own snooping
>>around processes, noticing suspicious files that have turned up on the
>>system and checking open ports etc.
>>
>>OK, here's the main questions:
>>
>>1) Can you recommend any good Web sites/newsgroups among the tons that
>>turn up in a Goole search where I might find some useful forums
>>discussing trojans, removal, security and current threats.
>>
>>2) What tools are you using to check for open ports, remote connections,
>>monitor logins etc.? - I have a few I've been using, but any insight
>>would be grateful.
>>
>>3) Is there a handy tool that can email me when a user logs in/out
>>and/or a service is stopped/started etc.? This would help me monitor all
>>the (14) sites. I am running Nagios for general server/broadband health
>>monitoring and I'm just going to have a read up to see if it can also
>>send such alerts so Nagios gurus are welcome to help me out here!
>>
>>Thanks
>>
>>L3K
>
>
>
> Are you serious ?
>
> If so - employ someone who knows what they are doing, this is frankly
> appalling.
>
>
> I'm surprised your connection hasn't been suspended via your ISP by
> gross stupidity and incompetence - or even been cancelled for being a
> spam zombie.

FTP site = spam zombie, yeah right.

You have obviously never inherited the kinda mess I have then - it's not
my setup and there's no way I'd have proposed anything like it - see my
reply to another thread hereabouts.

L3K

On Sat, 11 Dec 2004 21:46:55 +0000, [Linker3000] said :-
>>
>> Any business which would sign off on such, deserves to go tits up.
>>
>>
>> greg
>
>Thanks for the pointless response based on your complete lack of
>knowledge of my circumstances - for your information:
>
>Unfortunately I inherited this setup when I joined the company 6 months
>ago and I have voiced my concerns about it on numerous occasions.


Well, for 'your information' - not many here have crystal balls - how
on earth could anyone have known that ?

So, Slick, next time you post requiring information - mention
something relevant, ok ? Your pointless initial post implied your own
lack of ability.

On Sat, 11 Dec 2004 21:46:55 +0000, Linker3000
<(E-Mail Removed)> wrote:


>> That wont save them from your obvious lack of clue.
>>
>> It's not difficult to harden win2k to same level as the alternatives.
>> It's not rocket science to design infrastructure such that you do *not*
>> expose business critical infrastructure to the Internet.
>>
>> Any design which requires you to put a database server directly on the
>> Internet is so flawed it warrants zero further consideration.
>>
>> Any business which would sign off on such, deserves to go tits up.
>>
>>
>> greg
>
>Thanks for the pointless response based on your complete lack of
>knowledge of my circumstances

Your inability to provide supporting evidence in the original post is not
the fault of the audience.

Your servers *haven't* been hardened adequately

Your lack of knowledge w.r.t the capabilities of the software you have to
hand is self evident.

5 minutes googling produces excellent tutorials and mechanisms to lock down
win2k ducks arse tight

http://www.systemexperts.com/win2k/HardenWin2K.html
http://www.securiteam.com/tools/6Y00M1FBPI.html

Therefore my response stands.

A bad workman will always blame his tools.

>- for your information:
>
>Unfortunately I inherited this setup when I joined the company 6 months
>ago and I have voiced my concerns about it on numerous occasions.

'Voicing your concerns' is not enough in that situation.


>We have a stupid number of SQL servers (14) replicating in clusters to
>regional master databases and then these replicate to one master
>database at HQ. I agree it's absurd but my hands are tied by historic
>decisions and also the fact that the people who wrote and support the
>front end app are so crap at database design and security that whenever

Nonsense! There is nothing absolutely nothing stopping you using IPSEC to
tunnel replication between sites, it's built in to win2k as *standard* for
chrissakes !

>I bring up the subject of a more secure architecture they raise all
>sorts of sumb-ass objections as to why it can't be done that the powers
>that be in my organisation get cold feet and shy away from doing
>anything about it.

That's a cop out. You have the means to fix it *today* without spending a
single penny, why argent *you* doing something to sort it.



greg



--
Yeah - straight from the top of my dome
As I rock, rock, rock, rock, rock the microphone

Spin Dryer wrote:
> On Sat, 11 Dec 2004 21:46:55 +0000, [Linker3000] said :-
>
>>>Any business which would sign off on such, deserves to go tits up.
>>>
>>>
>>>greg
>>
>>Thanks for the pointless response based on your complete lack of
>>knowledge of my circumstances - for your information:
>>
>>Unfortunately I inherited this setup when I joined the company 6 months
>>ago and I have voiced my concerns about it on numerous occasions.
>
>
>
> Well, for 'your information' - not many here have crystal balls - how
> on earth could anyone have known that ?
>
> So, Slick, next time you post requiring information - mention
> something relevant, ok ? Your pointless initial post implied your own
> lack of ability.
>
I seem to recall my first post requesting info on security resources,
not a critique of my abilities and the system - you may have missed that
bit.

L3K

On Sun, 12 Dec 2004 09:45:44 +0000, [Linker3000] said :-

>Spin Dryer wrote:
>> On Sat, 11 Dec 2004 21:46:55 +0000, [Linker3000] said :-
>>
>>>>Any business which would sign off on such, deserves to go tits up.
>>>>
>>>>
>>>>greg
>>>
>>>Thanks for the pointless response based on your complete lack of
>>>knowledge of my circumstances - for your information:
>>>
>>>Unfortunately I inherited this setup when I joined the company 6 months
>>>ago and I have voiced my concerns about it on numerous occasions.
>>
>>
>>
>> Well, for 'your information' - not many here have crystal balls - how
>> on earth could anyone have known that ?
>>
>> So, Slick, next time you post requiring information - mention
>> something relevant, ok ? Your pointless initial post implied your own
>> lack of ability.
>>
>I seem to recall my first post requesting info on security resources,
>not a critique of my abilities and the system - you may have missed that
>bit.
>

Your first paragraph in your first post in this thread fella, was :-


" Several of my Win2K/SQL server systems have been trojaned to various
degrees over the last week or two - mostly ass*oles installing serv-u
FTP server, but a few have had the administrator password changed
(lovely!) - there seems to have been an increase in such activity over
the least 2 weeks or it is just my bad luck? "


Your later paragraphs (and of course the subject title) do ask for
info, but to probably anyone else reading, the "info" is needed
_because_ of the first paragraph.

However, new stuff came to light about you inhereting the system 6
months ago - yet your first paragraph says that the problems stemmed
from the past couple of weeks.

Now what conclusion does that imply ?