[GLLUG] Server Infection Question

Stanley C. Mortel mortel at cyber-nos.com
Tue May 5 19:14:54 EDT 2009


I have a client with a compromised server.  Not unusual for MS, but this 
one I find interesting.  Here are some details:

40 GB hard drive, single partition.  Windows 2000 server, fully 
patched.  History of out of date AV software.  Has Norton on it.  System 
getting slower and slower, locking up, blue screen......yada, yada, 
yada.  Entire network crawling.  History of getting blacklisted for spam.

Would not let me copy the partition using Acronis.  Said Not enough 
space on drive even though I was copying from a 40 GB partition to a 120 
GB drive.  When Acronis starts, it show the infected drive at about 30+ 
GB, then after analyzing the drives before the copy it shows it 
completely full.

Could not copy files from within Win2K to a newly formatted drive.  
Tells me access denied.  I tried it on two different drives to be sure 
the one receiving data wasn't bad.

The really interesting thing is that when I put it in an XP box to copy 
to another drive it infected XP during the boot/logon process.  At the 
first logon, the windows alert popped up telling me that the anti-virus 
was not working.  It was turned off and real-time scanning could not be 
turned on.  I tried this twice, with "pristine" installs of XP Pro with 
Computer Associates Internet Security Suite installed and everything 
completely up to date.  I find this of note because I didn't think that 
could happen.  Least I've never seen it.  I never accessed the infected 
drive at all.  The only way it was accessed is by the Windows O.S. 
during the boot/logon process.  As far as I know, the autorun feature is 
now turned off by default in XP, though that shouldn't come into play 
anyway, given that I never accessed the drive.

Ran the CA anti-virus, which worked even though the real-time was 
disabled.  Found several email/spam related worms:  Win32/Sobig.B, 
Sobig.E!Zip, Klez.H.  Also found Win32/Magistr.29188 that I think is 
more problematic.  I'm guessing that the real culprit went undetected. 

Any ideas?  Mainly I want to know if this is something that warrants 
further forensics before I wipe the drive, i.e., is this something new?  
I can probably dd the partition, the boot sector, and the partition 
table.  If it stops Linux from doing that, then I'll really be 
surprised.  I plan to put the drive in a Linux box tomorrow and run 
ClamAV on it.  But, before I do that, I thought I'd see if anyone else 
finds this case unique or interesting enough to save the evidence.  If 
anyone has some idea how a "data" drive can infect the OS drive without 
anything running, I'd like to hear that too.

As always, thanks for your input.

Stan


More information about the linux-user mailing list