Search This Blog

Friday, September 19, 2008

Who killed Server Rabbit? Part 2

It was patch Tuesday again. Microsoft released some really serious looking patches who nobody can say no to. What nobody expected was another murder right in the morning on Wed. Another dead server rabbit 2003. The scary part was... the symptons were the same. No network and user control panel. Services panels no properties and some GUI errors. Again network was dead.

Now, it really doesn't make sense for someone to attack a good machine and not ownz it, but kill it. I took a quick look at the network architecture and I notice this time, that the 2 machines were on different network. One of them were not directly accessible from the outside, except through a VPN tunnel. This make the whole situation even more creepy because if this is a outsider job, he probably has a VPN access.

In any case, the 2003 rabbit was cloned with encase and quarantined. Now I will have to do some serious debugging. Some of the blame flew to MS's patches. I took a look at the 2 new patches applied to the 2003 rabbit. One was serious, the graphics file format attack. I know its possible some site could had actually created a 0 day attack and maybe the server rabbit was just stupid enough to stumble upon it. But highly unlikely. The other patch was the standard once per month malware scan by Microsoft. While I wasted some time on the server rabbit 2003, it finally hit me that I should take a look at the server rabbit XP and see if these patches make sense. Well, the unfortunate case was that it didn't. The XP has around 20 patches. Well, at least 20 patches since the last reboot. This rabbit was not put on a regular reboot routine. All the patches were put in place, but not in effect until it got reboot. This is in general a bad practice as the patches are not effective and when shit happens, it is really hard to tell which patch is the one causing the problem.

Without better options, I scanned again with the same malware tools, hoping to find some similar malware that could explain the situation. The fact was, its clean as ever. Either the malware tool was useless or we are facing a serious 0 day malware.

Next, I examine the logs, which fortunately was not 512KB only. This time audit was also kicked in, but at least some logs make sense. I also extracted the WindowsUpdate.log which details the installation of the patches from both the machine's Windows directory. With these logs, I am looking at a really gloomy weekend...

No comments:

Amazon Gift Cards!

Thanks for viewing!

Copyright © 2008, All rights reserved.