# 2003 Server Attack by Unknown Hacker, need help, Proxy Server



## JusThinK (Apr 26, 2008)

Hi All,

Today 3 Proxy server in on my workplace attacked by some hacker, Server running Windows 2003 Std Edition(Service Pack 2).

Attack Details,

A account created with administrative privilege and while we checked, it 's logged on with that account, strange thing is, it's showing built in account, also a exe file called *AutoSQL* and it started scanning lot's of Public IP's, looks like it broadcasting,

created account is *hackp13$*, and on event log, it showing following successful logon.

```
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff 
Event ID: 551
Date:  25/04/2008
Time:  6:25:01 PM
User:  AFT-PROXY\hackp13$
Computer: AFT-PROXY
Description:
User initiated logoff:
  User Name: hackp13$
  Domain:  AFT-PROXY
  Logon ID:  (0x0,0x3b7fec)
```
After initial shock, we did scan with *Microsoft Baseline Security Analyzer*, it's showing 3 critical update, and 2 important update reqd. and most interesting part is when I was installing update via Windows update, suddenly hacker take my full desktop control, accessing my mouse, keyboard, and cancel update, then open Internet Explorer, open a site,

Service Window.









AutoSql









IP Scan









Netstat 1

```
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\Documents and Settings\hackp13$>netstat

Active Connections

  Proto  Local Address		  Foreign Address		State
  TCP	asdf:1047			  asdf:ms-sql-s		  ESTABLISHED
  TCP	asdf:1048			  asdf:ms-sql-s		  ESTABLISHED
  TCP	asdf:1050			  asdf:ms-sql-s		  ESTABLISHED
  TCP	asdf:1051			  asdf:ms-sql-s		  ESTABLISHED
  TCP	asdf:1052			  asdf:ms-sql-s		  ESTABLISHED
  TCP	asdf:1053			  asdf:ms-sql-s		  ESTABLISHED
  TCP	asdf:1054			  asdf:ms-sql-s		  ESTABLISHED
  TCP	asdf:ms-sql-s		  asdf:1047			  ESTABLISHED
  TCP	asdf:ms-sql-s		  asdf:1048			  ESTABLISHED
  TCP	asdf:ms-sql-s		  asdf:1050			  ESTABLISHED
  TCP	asdf:ms-sql-s		  asdf:1051			  ESTABLISHED
  TCP	asdf:ms-sql-s		  asdf:1052			  ESTABLISHED
  TCP	asdf:ms-sql-s		  asdf:1053			  ESTABLISHED
  TCP	asdf:ms-sql-s		  asdf:1054			  ESTABLISHED
  TCP	asdf:2602			  asdf:7000			  ESTABLISHED
  TCP	asdf:3103			  asdf:7000			  CLOSE_WAIT
  TCP	asdf:5001			  asdf:1088			  CLOSE_WAIT
  TCP	asdf:7000			  asdf:2602			  ESTABLISHED
  TCP	asdf:7000			  asdf:3103			  FIN_WAIT_2
  TCP	asdf:1637			  222.76.64.57:8000	  ESTABLISHED
  TCP	asdf:2603			  207.46.110.40:http	 ESTABLISHED
  TCP	asdf:8080			  192.168.16.29:1529	 ESTABLISHED
  TCP	asdf:8080			  192.168.33.75:4849	 TIME_WAIT
  TCP	asdf:8080			  192.168.33.75:4854	 TIME_WAIT
^C
C:\Documents and Settings\hackp13$>netstat -n

Active Connections

  Proto  Local Address		  Foreign Address		State
  TCP	127.0.0.1:1047		 127.0.0.1:1433		 ESTABLISHED
  TCP	127.0.0.1:1048		 127.0.0.1:1433		 ESTABLISHED
  TCP	127.0.0.1:1050		 127.0.0.1:1433		 ESTABLISHED
  TCP	127.0.0.1:1051		 127.0.0.1:1433		 ESTABLISHED
  TCP	127.0.0.1:1052		 127.0.0.1:1433		 ESTABLISHED
  TCP	127.0.0.1:1053		 127.0.0.1:1433		 ESTABLISHED
  TCP	127.0.0.1:1054		 127.0.0.1:1433		 ESTABLISHED
  TCP	127.0.0.1:1433		 127.0.0.1:1047		 ESTABLISHED
  TCP	127.0.0.1:1433		 127.0.0.1:1048		 ESTABLISHED
  TCP	127.0.0.1:1433		 127.0.0.1:1050		 ESTABLISHED
  TCP	127.0.0.1:1433		 127.0.0.1:1051		 ESTABLISHED
  TCP	127.0.0.1:1433		 127.0.0.1:1052		 ESTABLISHED
  TCP	127.0.0.1:1433		 127.0.0.1:1053		 ESTABLISHED
  TCP	127.0.0.1:1433		 127.0.0.1:1054		 ESTABLISHED
  TCP	127.0.0.1:2602		 127.0.0.1:7000		 ESTABLISHED
  TCP	127.0.0.1:3175		 127.0.0.1:7000		 ESTABLISHED
  TCP	127.0.0.1:5001		 127.0.0.1:1088		 CLOSE_WAIT
  TCP	127.0.0.1:7000		 127.0.0.1:2602		 ESTABLISHED
  TCP	127.0.0.1:7000		 127.0.0.1:3103		 TIME_WAIT
  TCP	127.0.0.1:7000		 127.0.0.1:3175		 ESTABLISHED
  TCP	192.168.33.3:1637	  222.76.64.57:8000	  ESTABLISHED
  TCP	192.168.33.3:2603	  207.46.110.40:80	   ESTABLISHED
  TCP	192.168.33.3:3176	  74.54.68.215:80		ESTABLISHED
  TCP	192.168.33.3:8080	  192.168.16.29:1529	 ESTABLISHED
  TCP	192.168.33.3:8080	  192.168.33.75:4849	 TIME_WAIT
  TCP	192.168.33.3:8080	  192.168.33.75:4854	 TIME_WAIT
  TCP	192.168.33.3:8080	  192.168.44.22:2778	 TIME_WAIT
  TCP	192.168.33.3:8080	  192.168.44.22:2779	 TIME_WAIT
  TCP	192.168.33.3:8080	  192.168.44.22:2780	 TIME_WAIT
  TCP	192.168.33.3:8080	  192.168.44.22:2782	 ESTABLISHED
  TCP	192.168.33.3:8080	  192.168.44.22:2783	 TIME_WAIT
  TCP	192.168.33.3:8080	  192.168.44.22:2784	 TIME_WAIT
  TCP	192.168.33.3:8080	  192.168.90.60:1746	 FIN_WAIT_2
  TCP	192.168.33.3:8080	  192.168.90.60:1747	 FIN_WAIT_2

C:\Documents and Settings\hackp13$>
```
Netstat 2

```
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\Documents and Settings\hackp13$>netstat -nr

Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x1000003 ...00 11 11 5f 28 60 ...... Intel(R) PRO/1000 CT Network Connection
0x1000004 ...00 11 11 5f 28 62 ...... Intel(R) PRO/100 VE Network Connection
===========================================================================
===========================================================================
Active Routes:
Network Destination		Netmask		  Gateway	   Interface  Metric
		  0.0.0.0		  0.0.0.0   192.168.33.154	192.168.33.3	   1
		127.0.0.0		255.0.0.0		127.0.0.1	   127.0.0.1	   1
		172.0.0.0		255.0.0.0   192.168.33.154	192.168.33.3	   1
	 192.168.10.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
	 192.168.11.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
	 192.168.12.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
	 192.168.14.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
	 192.168.16.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
	 192.168.18.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
	 192.168.20.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
	 192.168.22.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
	 192.168.23.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
	 192.168.24.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
	 192.168.25.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
	 192.168.31.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
	 192.168.33.0	255.255.255.0	 192.168.33.3	192.168.33.3	   1
	 192.168.33.3  255.255.255.255		127.0.0.1	   127.0.0.1	   1
   192.168.33.255  255.255.255.255	 192.168.33.3	192.168.33.3	   1
	 192.168.36.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
	 192.168.37.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
	 192.168.38.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
	 192.168.39.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
	 192.168.44.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
	 192.168.45.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
	 192.168.60.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
	 192.168.61.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
	 192.168.64.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
	 192.168.65.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
	 192.168.66.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
	 192.168.67.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
	 192.168.68.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
	 192.168.70.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
	 192.168.80.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
	 192.168.88.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
	 192.168.90.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
	192.168.100.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
	192.168.140.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
	192.168.171.0	255.255.255.0   192.168.33.154	192.168.33.3	   1
		224.0.0.0		224.0.0.0	 192.168.33.3	192.168.33.3	   1
  255.255.255.255  255.255.255.255	 192.168.33.3	192.168.33.3	   1
Default Gateway:	192.168.33.154
===========================================================================
Persistent Routes:
  Network Address		  Netmask  Gateway Address  Metric
	 192.168.22.0	255.255.255.0   192.168.33.154	   1
	 192.168.23.0	255.255.255.0   192.168.33.154	   1
	 192.168.11.0	255.255.255.0   192.168.33.154	   1
	 192.168.14.0	255.255.255.0   192.168.33.154	   1
	 192.168.24.0	255.255.255.0   192.168.33.154	   1
	 192.168.16.0	255.255.255.0   192.168.33.154	   1
	 192.168.12.0	255.255.255.0   192.168.33.154	   1
	 192.168.44.0	255.255.255.0   192.168.33.154	   1
	 192.168.45.0	255.255.255.0   192.168.33.154	   1
	 192.168.88.0	255.255.255.0   192.168.33.154	   1
	 192.168.38.0	255.255.255.0   192.168.33.154	   1
	 192.168.31.0	255.255.255.0   192.168.33.154	   1
	 192.168.37.0	255.255.255.0   192.168.33.154	   1
	 192.168.39.0	255.255.255.0   192.168.33.154	   1
	 192.168.36.0	255.255.255.0   192.168.33.154	   1
	192.168.100.0	255.255.255.0   192.168.33.154	   1
	 192.168.20.0	255.255.255.0   192.168.33.154	   1
	 192.168.80.0	255.255.255.0   192.168.33.154	   1
	 192.168.10.0	255.255.255.0   192.168.33.154	   1
	192.168.140.0	255.255.255.0   192.168.33.154	   1
		172.0.0.0		255.0.0.0   192.168.33.154	   1
	 192.168.25.0	255.255.255.0   192.168.33.154	   1
	 192.168.90.0	255.255.255.0   192.168.33.154	   1
	 192.168.60.0	255.255.255.0   192.168.33.154	   1
	 192.168.61.0	255.255.255.0   192.168.33.154	   1
	 192.168.66.0	255.255.255.0   192.168.33.154	   1
	 192.168.67.0	255.255.255.0   192.168.33.154	   1
	 192.168.64.0	255.255.255.0   192.168.33.154	   1
	 192.168.65.0	255.255.255.0   192.168.33.154	   1
	 192.168.68.0	255.255.255.0   192.168.33.154	   1
	 192.168.70.0	255.255.255.0   192.168.33.154	   1
	 192.168.18.0	255.255.255.0   192.168.33.154	   1
	192.168.171.0	255.255.255.0   192.168.33.154	   1

C:\Documents and Settings\hackp13$>
```
We hav PIX in our workplace..
We hav Trend Micro office scan..
Using Trend Micro Proxy Server..

Is there any new vulnerability on 2003 server??

Please help.... urgent..


----------



## JusThinK (Apr 26, 2008)

For instant Recovery, we re format our servers and change it's password, and fully patched with windows update. still now, no further attack..

Any help would be grate..


----------

