The Worst Server Infection I’ve Ever Seen

The Worst Server Infection I’ve Ever Seen

With my day job at SmartData I’ve recently been doing some work for a client, transporting their data from the Microsoft SQL Server that back-ends their desktop application and converting it to a different schema on a different database for a new, web-based application. Because there’s quite a lot of data, the schema are quite different, and the data needs to be converted in a “smart” way: I’ve written a program to help with the task.

My program takes data from our client's old server and moves it to their new server, making several alterations along the way.

Unfortunately, it’s  a slow process to move all of the data over. So, to test my program as I continue to develop it, I thought it might be useful if I could take a copy of the “live” database to somewhere more local (like my computer). This would remove the overhead of going through the Internet each time, and reduce the run time of the program significantly – an important consideration during its ongoing development.

Unfortunately, a quirk in the way that Microsoft SQL Server works is that the backup file I can make (ready to restore onto my computer) doesn’t appear on my computer, but appears on the old server. And I don’t have a means to get files off  the old server. Or do I? I have a username and password: I wonder if there are any other services running on the server to which I might have access. To find out, I use a program called Nmap to try to get a picture of what services are running on the server.

The results of running Nmap on the server. That's a lot of open ports...

And that’s when I realised that something might be wrong. For those of you who aren’t inclined toward understanding the ins and outs of network security, the screenshot above should be considered to be more than a little alarming. There’s pretty obvious and clear signs that this computer is infected with Trinoo, NetBus, Back Orifice, and quite probably other malware. It’s almost certainly being used as part of denial of service attacks against other computers, and could well be stealing confidential information from our client’s server and the other computers on their network.

How have things gotten so out of control? I’m not sure. I’ve never seen such a rampant runaway set of infections on a server system before. Computers belonging to individuals, especially individuals inclined to installing BonziBuddy, Smiley Central/Cursor Mania, and so on, are often littered with malware, but one would hope that a server administrator might have a little more wisdom than to let unauthorised code run on a server for which they were responsible. At the very least, a Windows-based, Internet-accessible server ought to be running a strict firewall and antivirus software (virtually all antivirus software would have detected all three of the infections I’ve named above).

Just about  anybody can get onto the ‘net, these days, and I can just about forgive a regular Jo who says says, “I don’t know anything about computers; I just want to play FarmVille.” It’s disappointing when they end up inadvertently helping to send email advertising “$oft C1ALIS tabs” to the rest of us, and it’s upsetting when they get their credit card details stolen by a Nigerian, but it’s not so much their fault as the fault of the complexities they’re expected to understand in order to protect their new computer. But when somebody’s running a service (as our client is paying for, from a third-party company who’s “managing” their server for them), I’d really expect better.

The Bit for the “Regular Jo”

And if you are a “regular Jo” on a Windows PC and you care enough to want to check that you’re part of the solution and not part  of the problem, then you might be interested in a variety of free, trusted:

  • Anti-virus software (essential)
  • Adware/spyware removal tools (useful if you routinely install crap downloaded from the web), and
  • Firewall software (essential if you connect “directly” to the Internet, rather than via a “router”, or if you’re ever on networks on which you can’t trust the other network users – e.g. free wi-fi access points, shared Internet connections in student houses, etc.)

Edit: And don’t forget to regularly install your Windows Updates. Thanks to Gareth for the reminder that regular Jos should be encouraged to do this, too.

Dan Q is a software engineer, a director of a voluntary organisation, a trainee counsellor, a keen geocacher, and an amateur magician. He lives with his partner and her husband in a polyamorous triad, and occasionally finds time to blog.

2 Comments

  1. Gareth 5 years ago

    How have things gotten so out of control?

    I’d put money on it being a lack of patching, or a weak password for one of the accounts on the system. It looks like MS Terminal Server is open, I presume to the world and not just SmartData, so could be an easy way in. Do they have a website? Any access to its logs? Wondering about SQL Injection there.

    What did the “managing” company say? (I can guess…)

    FWIW I’d add “regularly run Windows Update” to your list for “regular Jo” too. For a server I’d replace “Firewall software” with “use a hardware firewall, configured to block everything, then only unblock what you know you need” too, but then your list isn’t aimed at “regular Jo sysadmins” ;-)

  2. Scatman Dan 5 years ago

    Well said, Gareth. Yeah, my “regular Jo” list was for regular Jo’s. Sysadmins should be expected to be a lot smarter.

    Awaiting a response from the managing company. I suggested that they hardware-firewall off EVERYTHING except the critical ports immediately and get started on moving the data off to a fresh server, move the IP address over to minimise downtime, and then reformat and reinstall the old server.

    MS Terminal Server isn’t actually open to SmartData at all! But is to the world, and it a likely attack vector, yes. No website hosting from that machine, and I don’t believe there’s any direct connection to it from their web server; not sure what the HTTPS server is (only just discovered that; it’s some variety of HTTP Authentication protected service, perhaps a control panel of some sort): all we ever knew about the server was how to get in to MS SQL on it; the rest of it’s services we’re unaware of.

    What boggles my mind is that we had to get our IP whitelisted on their firewall to get access to MS SQL (you’ll note that MS SQL doesn’t appear on the port scan, which I took from a different machine just to illustrate quite how “wide open” they are), so they’re running some kind of firewall… it’s just not blocking all of the important things!

    /sighs/