win2k server issue

["RUSSELL T. LEWIS" <RUSSELL_T._LEWIS () spectralresponse com>]

We are running win2x Server SP2 with all the hotfixes applied (thanks to
hfnetchk.exe).  Yesterday when I came into work (for my dad) the Internet
connection was down.  Needless to say, no one was happy, so I called the ISP.
Their service was up, but when they logged into our router, they noticed the
problem.  Something was filling up all out NAT sessions.  All the request came
from one IP on port 6667 (IRC port).  after about 1-2 minutes all 250 NAT
sessions would become tied up and no one else could access the Internet  As a
quick fix, I shut down the PC that was causing all the NAT sessions.
Unfortunately it is our Win2k server which runs the website, ftp, listserv, and
Great Plains accounting stuff.  So it's a critical PC.  I installed ZoneAlarms
free firewall (via a CD so the server didn't get on the network causing more
chaos) and then after a configuration, I reconnected the server to the network.
Slowly enabling different programs Internet access, I got to the point where
accounting could run great plains again, and all the other servers were up.
There is a suspicious exe on the server in the c: drive, mipckov.exe, and it
tried to access the Internet  I have no clue what this is, but when we ended
it's task, and took it off the server (it's backed up) nothing seems broken.  I
uninstalled zone alarms yesterday and everything has been running smoothly.
That is until after lunch.  We re-ran the mipckov earlier this morning because
accounting was having a problem, but running it didn't solve the issue, not did
it seem to break anything.  When the Internet went down, that exe was running
and I killed it, and have again deleted it.  I also called the ISP again.  They
logged in to the router and said that all the sessions are outbound using the
internal port of 2465 and converts to the outside world port 6667.  This time
NAT sessions were opened on 3 IPs  Most of the sessions came from the 2k server.
I looked into the other 2 IPs. One is a client PC assigned via DHCP, and it has
no trace of mipckov.exe or any abnormal things that run on startup in the
registry (mipckov had a registry key to run it on boot, it was also in the C:,
which seems odd because it's a fairly new file ( created June 12) and win2k is
installed on E:.  Here's the really weird thing, the 3rd IP I was given, isn't
leased out via DHCP, nor does our Norton Antivirus Corporate Edition show any
users with that IP (every client has NAV CE on it).  So a NAT session was opened
by an IP that isn't used, and you can't ping it internally.  I really have no
idea as to what to do to try and solve this weird set of issues.  I work for my
dad to try and help his company out because I know a good bit about PC's in
general, but this is all new to me.  I unfortunately have no certifications and
have not taken any classes on this stuff, but then again, I'm only a teenager
trying to help my dad save a ton of money on his IT staff (I'm it...).

It is worth mentioning that I ran a scan on all our servers and clients last
night with the latest definition files and not one virus turned up.

If anyone has any ideas, tips, resources, input, similar experiences, etc.
PLEASE let me know.  Anything to work with is greatly appreciated.  I don't
really know where to turn to for help on this matter, so maybe some of you have
some ideas.

Again, Thank you!
-Russell Lewis
rtlewis () spectralresponse com



In talking with
Marc Fossi
SecurityFocus
www.securityfocus.com
after sending him a zip with the suspicious files he said,
"It looks like Kaiten, a DDoS bot (try doing a Google search on "kaiten
ddos").  I would suggest reposting your original message to
incidents () securityfocus com.  People there can help you out
with determining how it got there and how to get rid of it."


So, any ideas on how it got on out server?  How can I be sure it's gone?

THANKS

I just got the components to make a PC that will run RedHat 7.3 and DeepSight
Sensor 1.6 Beta RPM and will be setting that up next week.  Hopefully this will
let us prevent such an ssue again.

Russell Lewis








----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com