Note to readers: For the full story, start with Part 1 if you haven't read it. For a quick synopsis before delving into Part 2, read on!
It all started with a simple call from a worried client who was complaining that his Internet connection seemed slow. From this simple utterance, I eventually discovered that the main server had become the victim of viruses and hackers galore. Through the use of a common Unicode vulnerability, hackers had exploited IIS to take over a client's computerand had even turned it into a warez server that was hosting over 3GB of illegal software.
As a result, I had told my client to immediately wipe the server clean, and start fresh, this time installing all the necessary service packs. After discussing possible protection schemes with the client, I quickly started to remotely investigate server files and to collect as much data as possible about the methods and tricks the hackers had used to take over the server. However, approximately two hours into my investigation, I lost contact with the server. While the server answered to a standard ping, I quickly realized that both the Web server and my back door no longer existed.
This is where we pick up this true tale. So, without further ado, let the story resume!
Rooted by Tkbot.R00t.EDITiON.FiNAL
At this point, I was without a way to remotely access the server. My first thought was that the server had been disabled by the administrator. However, after a quick ping and port scan, I realized that the server was not offline; a phone call to the administrator confirmed that he had done nothing yet. Ironically, the port scan actually returned the same number of open ports as before, with the addition of two (1297 and 65130) and the subtraction of two: the Web server port 80 and port 99 used by ncx99.exe.
Left with no other choice, I decided to connect to these new ports using telnet and FTP clients to see what data they returned. To my surprise, it looked like this server had fallen victim to yet another hacker, as you can see in Figure 1. However, this time the hacker took care to remove the method by which other hackers were gaining access!
Figure 1 Telnet connection to port 65130 on hacked server.
After a few attempts at guessing various common passwords, I contacted the administrator once again to keep him informed of the latest events. I also asked for permission to investigate the server at the physical site and for the administrator account information needed to access the server.