[GLLUG] Server Infection Question
Stanley C. Mortel
mortel at cyber-nos.com
Tue May 5 19:14:54 EDT 2009
I have a client with a compromised server. Not unusual for MS, but this
one I find interesting. Here are some details:
40 GB hard drive, single partition. Windows 2000 server, fully
patched. History of out of date AV software. Has Norton on it. System
getting slower and slower, locking up, blue screen......yada, yada,
yada. Entire network crawling. History of getting blacklisted for spam.
Would not let me copy the partition using Acronis. Said Not enough
space on drive even though I was copying from a 40 GB partition to a 120
GB drive. When Acronis starts, it show the infected drive at about 30+
GB, then after analyzing the drives before the copy it shows it
completely full.
Could not copy files from within Win2K to a newly formatted drive.
Tells me access denied. I tried it on two different drives to be sure
the one receiving data wasn't bad.
The really interesting thing is that when I put it in an XP box to copy
to another drive it infected XP during the boot/logon process. At the
first logon, the windows alert popped up telling me that the anti-virus
was not working. It was turned off and real-time scanning could not be
turned on. I tried this twice, with "pristine" installs of XP Pro with
Computer Associates Internet Security Suite installed and everything
completely up to date. I find this of note because I didn't think that
could happen. Least I've never seen it. I never accessed the infected
drive at all. The only way it was accessed is by the Windows O.S.
during the boot/logon process. As far as I know, the autorun feature is
now turned off by default in XP, though that shouldn't come into play
anyway, given that I never accessed the drive.
Ran the CA anti-virus, which worked even though the real-time was
disabled. Found several email/spam related worms: Win32/Sobig.B,
Sobig.E!Zip, Klez.H. Also found Win32/Magistr.29188 that I think is
more problematic. I'm guessing that the real culprit went undetected.
Any ideas? Mainly I want to know if this is something that warrants
further forensics before I wipe the drive, i.e., is this something new?
I can probably dd the partition, the boot sector, and the partition
table. If it stops Linux from doing that, then I'll really be
surprised. I plan to put the drive in a Linux box tomorrow and run
ClamAV on it. But, before I do that, I thought I'd see if anyone else
finds this case unique or interesting enough to save the evidence. If
anyone has some idea how a "data" drive can infect the OS drive without
anything running, I'd like to hear that too.
As always, thanks for your input.
Stan
More information about the linux-user
mailing list