> -----Original Message-----
> From: Kyle Buehler [mailto:kyleGRNDZERO.ORG]
> Sent: Monday, April 02, 2001 1:09 PM
> To: FOCUS-MSSECURITYFOCUS.COM
> Subject: Windows 2000 Server Questions
>
>
> So here's the situation. I'm the "New IT Guys". There have
> been 3 before me, and I'm working on a Windows 2000 Server
> that has been setup via a tagteam of consultants. I'm not a
> Miscrosoftie by nature, but I deal with it here and there and
> in Advanced Windows 2000 at school. *joke* None the less, I'm
> getting into it. Anyway, here's some problems that are
> confusing me at the current moment ...
>
> 1. I did a security audit against the server using Nessus
> and it came back with ports 34555/udp, 27444/udp, 18753/udp,
> and 10498/tcp possibly running Trin00, Trin00, Shaft, and
> mstream respectively. I ran a few nmap scans against it and
> did not find the port open. netstat -an didn't yield any info
> either. I thought at first it was just catching normal
> traffic , but multiple scans have come out the same. Any idea
> what this could be? McAfee is up to date and running full
> scans once a night, and research shows that it should catch
> all the possible trojans.
>
> 2. Ports 6666 and 6667 are open also, but yield no warnings
> from Nessus. I know we are not running an irc server, so is
> there any 2k serive that claims those ports? Again, netstat
> didn't show anything useful.

Depending on what kind of hardware you are running, and what
extraneous stuff has been added to that server, those could be trojans
or something less innoccuous. There is a tool called inzider
(http://ntsecurity.nu/toolbox/inzider/) which will tell you what apps
are listening on what ports. That should help.

> In my scan I found that only SP1 had been applied and the
> server was in desperate need of netbios-ssn hotfixes since
> I'm not quite sure wheather I have a cracker on my tail or
> not. I downloaded the required patches and applied them
individually.

Good. Keep in mind that depending on what you later find, you may want
to rebuild from scratch.

>
> 3. Is there a way to apply the patches without having to
> reboot everytime? This is a server that takes 5-10 minutes
> for a full cycle. Once I applied the patches I ran my scans
> again and the "problem" hadn't been fixed. Am I doing
> something wrong just running them?

Well, the patches won't remove the trojans if they are already there.
Read up on each trojan (I recommend www.whitehats.org) and look for
the signs in the registry and the .ini's for an infection.

As for not rebooting, it depends on what the patch does; if you are
sure that they are dealing with completely different files or registry
settings, just don't hit the "ok". But, that can be risky if you don't
know exactly what each patch is doing.

> 4. Nessus found /_vti_bin/_vti_aut/dvwssr.dll ... I read up
> on this, except I can't find it in the directory shown, and
> that file doesn't come up by name in a find. Does it have
> another alias or counterpart?

That path will be relative to your web root. also, find uses your
default view options; chances are you have it set to hide files with
registered extensions which will hide *.dll's. I recommend changing
this setting and applying to all folders (it will be in folder options
under tools in the view window (ie go to my computer).

>
> 5. The server is running Exchange, and it allows open
> relaying which I am kind of concerned about. Currently the
> consultant is the one working the Exchange Setup ( I plan to
> remedy that eventually), but where can I get some info on
> configuring something like that. Just looking at the Server
> Manager really looks like he got it working, and didn't go
> any farther than that.

Upgrade to SP4 and read
http://www.microsoft.com/technet/exchange/relay.asp, which should
guide you through the process. Note that pop3/smtp clients will need
to be changed if they are coming from the internet to authenticate
etc. but whatever, that's the price.

> An help would be appreciated.

Good luck; my recommendation, if the prior techs haven't kept usable
logs on the servers, is to redo them, although I understand this may
not be feasible. If you do find actual trojan executables on your
machine all bets are off on securing it.

But, chances are you're okay if inzider reports only legitimate apps
listening. Exchange and Win2K have a lot of crap installed by default
which would account for those strange listening ports.

Henry

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]