Unknown Network Attack

The other day, my Windows Server 2003 server, which was configured to host
DNS, FTP, HTTP, and dial-up, but was NOT behind a firewall, was attacked, in
a manner I do not understand, and I hope someone here could give me some
tips on restoration advice.

Everything was working perfectly the other day, and actually I was playing
Unreal Tournament 2004 on the server (hehe), when suddenly all Internet
traffic through the machine stopped. I couldn't access anything. However,
other computers accessing the Internet through the same DSL router worked
fine. I could Remote Desktop and access the web services on the server from
my laptop using the server's Internet IP address, but DNS (which was one of
the server's jobs) failed.

I opened Network Connections and right-clicked the Ethernet adapter icon and
chose "Repair". Repair failed, saying something about the arpa tables being
corrupted or unable to be reset or something.

I swapped network cards and the DNS and pings to the server simply wouldn't
work.

I restored the original network card and outsourced the DNS service to
another company. So now after a day wait, HTTP and e-mail are back up and
running. I enabled the Windows Firewall and poked holes for HTTP, FTP, and
E-mail.

But now when I try to test FTP from my laptop, it's very strange.. I can get
on the FTP service just fine using Internet Explorer's FTP service, but when
using an FTP application that I wrote in C#, it times out while trying to
transfer data. I tried opening up port 22 (aren't FTP xfers done on 22? or
is it 20 and I was mistaken?) but that didn't help.

Now that SOME things are working again (everything but ping and DNS and FTP
using .NET sockets), I had to disable the Windows Firewall again to restore
the dial-up routing for Routing and Remote Access. But RRAS refused to start
because IC (Internet Connections) was enabled. No it wasn't ... I enabled
and then deleted IC, and then set up RRAS to work. The modem picks up again
as it should, but now it doesn't route anything. I can access the server
using Remote Desktop over the modem from home, but I can't get onto the
Internet. I've enabled Routing in the RRAS configuration. This was working
before, why is it not working now?

Does anyone know what kind of attack the original symptoms appear to be
from? By the way, please spare me the advice about the immorality of being
without a firewall. Obviously I made a mistake being so slutty. That's not
what I'm asking about. I just want to know what kind of attack this was, and
how I can restore things.

Thanks,
Jon

It is very hard to tell exactly what happened. Of course scans for malware and
parasites [ use something like AdAware SE ] may find out the problem and/or
using tools like Autoruns, TCPView, and process Explorer from SysInternals to
view startup programs, port to process mapping, and detailed examination of
processes running on your server to look for compromise. Trend Micro has a great
free stand alone tool to scan for a remove many common malwares. FTP uses tcp
ports 20 and 21 and FTP can be either active or passive which may need different
firewall configurations for some firewalls. You may also have just experienced
winsock corruption from your description. Running the netdiag support tool may
confirm this as it does have a test for winsock. You may be able to fix your
problem by reinstalling tcp/ip and repairing winsock. --- Steve

http://www.sysinternals.com/ntw2k/fr...autoruns.shtml -- SysInternals
tools.
http://www.trendmicro.com/download/dcs.asp -- SysClean
http://support.microsoft.com/kb/317518 -- reset tcp/ip Windows 2003 - non
domain controllers
http://support.microsoft.com/kb/811259 -- repair winsock W2003 and XP


"Jon Davis" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> The other day, my Windows Server 2003 server, which was configured to host
> DNS, FTP, HTTP, and dial-up, but was NOT behind a firewall, was attacked, in
> a manner I do not understand, and I hope someone here could give me some
> tips on restoration advice.
>
> Everything was working perfectly the other day, and actually I was playing
> Unreal Tournament 2004 on the server (hehe), when suddenly all Internet
> traffic through the machine stopped. I couldn't access anything. However,
> other computers accessing the Internet through the same DSL router worked
> fine. I could Remote Desktop and access the web services on the server from
> my laptop using the server's Internet IP address, but DNS (which was one of
> the server's jobs) failed.
>
> I opened Network Connections and right-clicked the Ethernet adapter icon and
> chose "Repair". Repair failed, saying something about the arpa tables being
> corrupted or unable to be reset or something.
>
> I swapped network cards and the DNS and pings to the server simply wouldn't
> work.
>
> I restored the original network card and outsourced the DNS service to
> another company. So now after a day wait, HTTP and e-mail are back up and
> running. I enabled the Windows Firewall and poked holes for HTTP, FTP, and
> E-mail.
>
> But now when I try to test FTP from my laptop, it's very strange.. I can get
> on the FTP service just fine using Internet Explorer's FTP service, but when
> using an FTP application that I wrote in C#, it times out while trying to
> transfer data. I tried opening up port 22 (aren't FTP xfers done on 22? or
> is it 20 and I was mistaken?) but that didn't help.
>
> Now that SOME things are working again (everything but ping and DNS and FTP
> using .NET sockets), I had to disable the Windows Firewall again to restore
> the dial-up routing for Routing and Remote Access. But RRAS refused to start
> because IC (Internet Connections) was enabled. No it wasn't ... I enabled
> and then deleted IC, and then set up RRAS to work. The modem picks up again
> as it should, but now it doesn't route anything. I can access the server
> using Remote Desktop over the modem from home, but I can't get onto the
> Internet. I've enabled Routing in the RRAS configuration. This was working
> before, why is it not working now?
>
> Does anyone know what kind of attack the original symptoms appear to be
> from? By the way, please spare me the advice about the immorality of being
> without a firewall. Obviously I made a mistake being so slutty. That's not
> what I'm asking about. I just want to know what kind of attack this was, and
> how I can restore things.
>
> Thanks,
> Jon
>
>

Thanks for the tools references, I'll check them out.

Jon

"Steven Umbach" <(E-Mail Removed)> wrote in message
news:#(E-Mail Removed)...
> It is very hard to tell exactly what happened. Of course scans for malware
and
> parasites [ use something like AdAware SE ] may find out the problem
and/or
> using tools like Autoruns, TCPView, and process Explorer from SysInternals
to
> view startup programs, port to process mapping, and detailed examination
of
> processes running on your server to look for compromise. Trend Micro has a
great
> free stand alone tool to scan for a remove many common malwares. FTP uses
tcp
> ports 20 and 21 and FTP can be either active or passive which may need
different
> firewall configurations for some firewalls. You may also have just
experienced
> winsock corruption from your description. Running the netdiag support tool
may
> confirm this as it does have a test for winsock. You may be able to fix
your
> problem by reinstalling tcp/ip and repairing winsock. --- Steve
>
> http://www.sysinternals.com/ntw2k/fr...autoruns.shtml -- SysInternals
> tools.
> http://www.trendmicro.com/download/dcs.asp -- SysClean
> http://support.microsoft.com/kb/317518 -- reset tcp/ip Windows 2003 - non
> domain controllers
> http://support.microsoft.com/kb/811259 -- repair winsock W2003 and XP
>
>
> "Jon Davis" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > The other day, my Windows Server 2003 server, which was configured to
host
> > DNS, FTP, HTTP, and dial-up, but was NOT behind a firewall, was
attacked, in
> > a manner I do not understand, and I hope someone here could give me some
> > tips on restoration advice.
> >
> > Everything was working perfectly the other day, and actually I was
playing
> > Unreal Tournament 2004 on the server (hehe), when suddenly all Internet
> > traffic through the machine stopped. I couldn't access anything.
However,
> > other computers accessing the Internet through the same DSL router
worked
> > fine. I could Remote Desktop and access the web services on the server
from
> > my laptop using the server's Internet IP address, but DNS (which was one
of
> > the server's jobs) failed.
> >
> > I opened Network Connections and right-clicked the Ethernet adapter icon
and
> > chose "Repair". Repair failed, saying something about the arpa tables
being
> > corrupted or unable to be reset or something.
> >
> > I swapped network cards and the DNS and pings to the server simply
wouldn't
> > work.
> >
> > I restored the original network card and outsourced the DNS service to
> > another company. So now after a day wait, HTTP and e-mail are back up
and
> > running. I enabled the Windows Firewall and poked holes for HTTP, FTP,
and
> > E-mail.
> >
> > But now when I try to test FTP from my laptop, it's very strange.. I can
get
> > on the FTP service just fine using Internet Explorer's FTP service, but
when
> > using an FTP application that I wrote in C#, it times out while trying
to
> > transfer data. I tried opening up port 22 (aren't FTP xfers done on 22?
or
> > is it 20 and I was mistaken?) but that didn't help.
> >
> > Now that SOME things are working again (everything but ping and DNS and
FTP
> > using .NET sockets), I had to disable the Windows Firewall again to
restore
> > the dial-up routing for Routing and Remote Access. But RRAS refused to
start
> > because IC (Internet Connections) was enabled. No it wasn't ... I
enabled
> > and then deleted IC, and then set up RRAS to work. The modem picks up
again
> > as it should, but now it doesn't route anything. I can access the server
> > using Remote Desktop over the modem from home, but I can't get onto the
> > Internet. I've enabled Routing in the RRAS configuration. This was
working
> > before, why is it not working now?
> >
> > Does anyone know what kind of attack the original symptoms appear to be
> > from? By the way, please spare me the advice about the immorality of
being
> > without a firewall. Obviously I made a mistake being so slutty. That's
not
> > what I'm asking about. I just want to know what kind of attack this was,
and
> > how I can restore things.
> >
> > Thanks,
> > Jon
> >
> >
>
>

Resetting TCP/IP seems to have done the trick. Thanks again.

Jon


"Steven Umbach" <(E-Mail Removed)> wrote in message
news:#(E-Mail Removed)...
> It is very hard to tell exactly what happened. Of course scans for malware
and
> parasites [ use something like AdAware SE ] may find out the problem
and/or
> using tools like Autoruns, TCPView, and process Explorer from SysInternals
to
> view startup programs, port to process mapping, and detailed examination
of
> processes running on your server to look for compromise. Trend Micro has a
great
> free stand alone tool to scan for a remove many common malwares. FTP uses
tcp
> ports 20 and 21 and FTP can be either active or passive which may need
different
> firewall configurations for some firewalls. You may also have just
experienced
> winsock corruption from your description. Running the netdiag support tool
may
> confirm this as it does have a test for winsock. You may be able to fix
your
> problem by reinstalling tcp/ip and repairing winsock. --- Steve
>
> http://www.sysinternals.com/ntw2k/fr...autoruns.shtml -- SysInternals
> tools.
> http://www.trendmicro.com/download/dcs.asp -- SysClean
> http://support.microsoft.com/kb/317518 -- reset tcp/ip Windows 2003 - non
> domain controllers
> http://support.microsoft.com/kb/811259 -- repair winsock W2003 and XP
>
>
> "Jon Davis" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > The other day, my Windows Server 2003 server, which was configured to
host
> > DNS, FTP, HTTP, and dial-up, but was NOT behind a firewall, was
attacked, in
> > a manner I do not understand, and I hope someone here could give me some
> > tips on restoration advice.
> >
> > Everything was working perfectly the other day, and actually I was
playing
> > Unreal Tournament 2004 on the server (hehe), when suddenly all Internet
> > traffic through the machine stopped. I couldn't access anything.
However,
> > other computers accessing the Internet through the same DSL router
worked
> > fine. I could Remote Desktop and access the web services on the server
from
> > my laptop using the server's Internet IP address, but DNS (which was one
of
> > the server's jobs) failed.
> >
> > I opened Network Connections and right-clicked the Ethernet adapter icon
and
> > chose "Repair". Repair failed, saying something about the arpa tables
being
> > corrupted or unable to be reset or something.
> >
> > I swapped network cards and the DNS and pings to the server simply
wouldn't
> > work.
> >
> > I restored the original network card and outsourced the DNS service to
> > another company. So now after a day wait, HTTP and e-mail are back up
and
> > running. I enabled the Windows Firewall and poked holes for HTTP, FTP,
and
> > E-mail.
> >
> > But now when I try to test FTP from my laptop, it's very strange.. I can
get
> > on the FTP service just fine using Internet Explorer's FTP service, but
when
> > using an FTP application that I wrote in C#, it times out while trying
to
> > transfer data. I tried opening up port 22 (aren't FTP xfers done on 22?
or
> > is it 20 and I was mistaken?) but that didn't help.
> >
> > Now that SOME things are working again (everything but ping and DNS and
FTP
> > using .NET sockets), I had to disable the Windows Firewall again to
restore
> > the dial-up routing for Routing and Remote Access. But RRAS refused to
start
> > because IC (Internet Connections) was enabled. No it wasn't ... I
enabled
> > and then deleted IC, and then set up RRAS to work. The modem picks up
again
> > as it should, but now it doesn't route anything. I can access the server
> > using Remote Desktop over the modem from home, but I can't get onto the
> > Internet. I've enabled Routing in the RRAS configuration. This was
working
> > before, why is it not working now?
> >
> > Does anyone know what kind of attack the original symptoms appear to be
> > from? By the way, please spare me the advice about the immorality of
being
> > without a firewall. Obviously I made a mistake being so slutty. That's
not
> > what I'm asking about. I just want to know what kind of attack this was,
and
> > how I can restore things.
> >
> > Thanks,
> > Jon
> >
> >
>
>

Hm. Some things are working. But not routing and remote access (RRAS).

Jon

"Steven Umbach" <(E-Mail Removed)> wrote in message
news:#(E-Mail Removed)...
> It is very hard to tell exactly what happened. Of course scans for malware
and
> parasites [ use something like AdAware SE ] may find out the problem
and/or
> using tools like Autoruns, TCPView, and process Explorer from SysInternals
to
> view startup programs, port to process mapping, and detailed examination
of
> processes running on your server to look for compromise. Trend Micro has a
great
> free stand alone tool to scan for a remove many common malwares. FTP uses
tcp
> ports 20 and 21 and FTP can be either active or passive which may need
different
> firewall configurations for some firewalls. You may also have just
experienced
> winsock corruption from your description. Running the netdiag support tool
may
> confirm this as it does have a test for winsock. You may be able to fix
your
> problem by reinstalling tcp/ip and repairing winsock. --- Steve
>
> http://www.sysinternals.com/ntw2k/fr...autoruns.shtml -- SysInternals
> tools.
> http://www.trendmicro.com/download/dcs.asp -- SysClean
> http://support.microsoft.com/kb/317518 -- reset tcp/ip Windows 2003 - non
> domain controllers
> http://support.microsoft.com/kb/811259 -- repair winsock W2003 and XP
>
>
> "Jon Davis" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > The other day, my Windows Server 2003 server, which was configured to
host
> > DNS, FTP, HTTP, and dial-up, but was NOT behind a firewall, was
attacked, in
> > a manner I do not understand, and I hope someone here could give me some
> > tips on restoration advice.
> >
> > Everything was working perfectly the other day, and actually I was
playing
> > Unreal Tournament 2004 on the server (hehe), when suddenly all Internet
> > traffic through the machine stopped. I couldn't access anything.
However,
> > other computers accessing the Internet through the same DSL router
worked
> > fine. I could Remote Desktop and access the web services on the server
from
> > my laptop using the server's Internet IP address, but DNS (which was one
of
> > the server's jobs) failed.
> >
> > I opened Network Connections and right-clicked the Ethernet adapter icon
and
> > chose "Repair". Repair failed, saying something about the arpa tables
being
> > corrupted or unable to be reset or something.
> >
> > I swapped network cards and the DNS and pings to the server simply
wouldn't
> > work.
> >
> > I restored the original network card and outsourced the DNS service to
> > another company. So now after a day wait, HTTP and e-mail are back up
and
> > running. I enabled the Windows Firewall and poked holes for HTTP, FTP,
and
> > E-mail.
> >
> > But now when I try to test FTP from my laptop, it's very strange.. I can
get
> > on the FTP service just fine using Internet Explorer's FTP service, but
when
> > using an FTP application that I wrote in C#, it times out while trying
to
> > transfer data. I tried opening up port 22 (aren't FTP xfers done on 22?
or
> > is it 20 and I was mistaken?) but that didn't help.
> >
> > Now that SOME things are working again (everything but ping and DNS and
FTP
> > using .NET sockets), I had to disable the Windows Firewall again to
restore
> > the dial-up routing for Routing and Remote Access. But RRAS refused to
start
> > because IC (Internet Connections) was enabled. No it wasn't ... I
enabled
> > and then deleted IC, and then set up RRAS to work. The modem picks up
again
> > as it should, but now it doesn't route anything. I can access the server
> > using Remote Desktop over the modem from home, but I can't get onto the
> > Internet. I've enabled Routing in the RRAS configuration. This was
working
> > before, why is it not working now?
> >
> > Does anyone know what kind of attack the original symptoms appear to be
> > from? By the way, please spare me the advice about the immorality of bei
ng
> > without a firewall. Obviously I made a mistake being so slutty. That's
not
> > what I'm asking about. I just want to know what kind of attack this was,
and
> > how I can restore things.
> >
> > Thanks,
> > Jon
> >
> >
>
>

What is happening with rras?? Make sure the built in ICF firewall is
disabled on a server using rras. Check your tcp/ip configuration to make
sure that it is correct as resetting tcp/ip may have changed it from stoic
IP to DHCP or changed the entries in tcp/ip such as IP address, dns server,
and default gateway. Also check Event Viewer for any error messages that may
help. --- Steve


"Jon Davis" <(E-Mail Removed)> wrote in message
news:ekBv%(E-Mail Removed)...
> Hm. Some things are working. But not routing and remote access (RRAS).
>
> Jon
>
> "Steven Umbach" <(E-Mail Removed)> wrote in message
> news:#(E-Mail Removed)...
>> It is very hard to tell exactly what happened. Of course scans for
>> malware
> and
>> parasites [ use something like AdAware SE ] may find out the problem
> and/or
>> using tools like Autoruns, TCPView, and process Explorer from
>> SysInternals
> to
>> view startup programs, port to process mapping, and detailed examination
> of
>> processes running on your server to look for compromise. Trend Micro has
>> a
> great
>> free stand alone tool to scan for a remove many common malwares. FTP uses
> tcp
>> ports 20 and 21 and FTP can be either active or passive which may need
> different
>> firewall configurations for some firewalls. You may also have just
> experienced
>> winsock corruption from your description. Running the netdiag support
>> tool
> may
>> confirm this as it does have a test for winsock. You may be able to fix
> your
>> problem by reinstalling tcp/ip and repairing winsock. --- Steve
>>
>> http://www.sysinternals.com/ntw2k/fr...autoruns.shtml --
>> SysInternals
>> tools.
>> http://www.trendmicro.com/download/dcs.asp -- SysClean
>> http://support.microsoft.com/kb/317518 -- reset tcp/ip Windows 2003 -
>> non
>> domain controllers
>> http://support.microsoft.com/kb/811259 -- repair winsock W2003 and XP
>>
>>
>> "Jon Davis" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>> > The other day, my Windows Server 2003 server, which was configured to
> host
>> > DNS, FTP, HTTP, and dial-up, but was NOT behind a firewall, was
> attacked, in
>> > a manner I do not understand, and I hope someone here could give me
>> > some
>> > tips on restoration advice.
>> >
>> > Everything was working perfectly the other day, and actually I was
> playing
>> > Unreal Tournament 2004 on the server (hehe), when suddenly all Internet
>> > traffic through the machine stopped. I couldn't access anything.
> However,
>> > other computers accessing the Internet through the same DSL router
> worked
>> > fine. I could Remote Desktop and access the web services on the server
> from
>> > my laptop using the server's Internet IP address, but DNS (which was
>> > one
> of
>> > the server's jobs) failed.
>> >
>> > I opened Network Connections and right-clicked the Ethernet adapter
>> > icon
> and
>> > chose "Repair". Repair failed, saying something about the arpa tables
> being
>> > corrupted or unable to be reset or something.
>> >
>> > I swapped network cards and the DNS and pings to the server simply
> wouldn't
>> > work.
>> >
>> > I restored the original network card and outsourced the DNS service to
>> > another company. So now after a day wait, HTTP and e-mail are back up
> and
>> > running. I enabled the Windows Firewall and poked holes for HTTP, FTP,
> and
>> > E-mail.
>> >
>> > But now when I try to test FTP from my laptop, it's very strange.. I
>> > can
> get
>> > on the FTP service just fine using Internet Explorer's FTP service, but
> when
>> > using an FTP application that I wrote in C#, it times out while trying
> to
>> > transfer data. I tried opening up port 22 (aren't FTP xfers done on 22?
> or
>> > is it 20 and I was mistaken?) but that didn't help.
>> >
>> > Now that SOME things are working again (everything but ping and DNS and
> FTP
>> > using .NET sockets), I had to disable the Windows Firewall again to
> restore
>> > the dial-up routing for Routing and Remote Access. But RRAS refused to
> start
>> > because IC (Internet Connections) was enabled. No it wasn't ... I
> enabled
>> > and then deleted IC, and then set up RRAS to work. The modem picks up
> again
>> > as it should, but now it doesn't route anything. I can access the
>> > server
>> > using Remote Desktop over the modem from home, but I can't get onto the
>> > Internet. I've enabled Routing in the RRAS configuration. This was
> working
>> > before, why is it not working now?
>> >
>> > Does anyone know what kind of attack the original symptoms appear to be
>> > from? By the way, please spare me the advice about the immorality of
>> > bei
> ng
>> > without a firewall. Obviously I made a mistake being so slutty. That's
> not
>> > what I'm asking about. I just want to know what kind of attack this
>> > was,
> and
>> > how I can restore things.
>> >
>> > Thanks,
>> > Jon
>> >
>> >
>>
>>
>
>