Close Encounters of the Hacker Kind: A Story from the Front Line
It all started with a fairly innocent call from a client/friend of the family who was having Internet problems. Specifically, he was wondering why his T1 line was moving uncharacteristically slow and was concerned that he may have contracted a virus. This particular client had a past history of becoming victim to viruses and worms, so his concern was valid. I said I would take a look.
Having discovered this client's previous infestation, I was expecting that he probably had become the victim of yet another worm or virus and just needed some simple suggestions and pointers on how to remove it. To my surprise, this prejudice only scratched the surface of the many problems this client was having. As you will learn, my client's network not only had become infected by digital worms, but it also had become home to both a horde of hackers using it as a warez server and a brand new IRC Trojan/IIS worm named Total Kill.
This particular client is one of those small businesses that doesn't need to hire a full-time computer person. Instead, it relies on the good will and part-time support of friends and family members. As a result, its network has been through the hands of several competent but distinctly unique support personnel during the last couple years, all of which have added to the overall layout and configuration of the network. What makes matters more interesting is that the client was previously a miniInternet service provider (ISP) for some local-area businesses.
Due to its ISP business, the client purchased a T1 and, with it, several hundred IP addresses and the equipment to manage them. So as to not put these addresses to waste, one of the previous administrators had set up a Cisco router and DHCP server to provide each internal computer with a unique public IP address. In other words, every device on the network has a dedicated IP address that was accessible from the Internet.
At the core of this network is one computer hosting a multitude of services. The computer, running Microsoft's NT4 operating system, operated as a DNS server, DHCP server, Exchange server, primary domain controller, and file server; it also acted as a host to a custom database program for the business. Due to the many services this computer was providing, it was a primary target for viruses and worms. In fact, five months before this situation, the server was inoculated from a Nimda infestation.