Pwned

Once a month I visit St Mary’s Catholic Church here in town to do maintenance on their computers and take care of whatever computer problems they have.  They usually have a list of small things for me to either take care of or show them how to do.  A few weeks ago I got an email from their server telling me their CPU utilization was hovering around 90%.  So I RDP’d into it and discovered they had been pwned!!  It appeared someone had used the latest DNS vulnerability in Server 2003 to get into their system, and they were scanning for other servers with the same vulnerability and compromising them as well.  I cleaned it up the best I could and made a note to look into it more when I had time.  Unfortunately, the past few weeks have been VERY busy and I haven’t had any more time to look into it.  So Saturday I went over there and spent some more time investigating.  I discovered a couple of root kits and removed them, rebooted, and then AD failed to work, thus Exchange wouldn’t start, I couldn’t even get the Event Log service to start so I couldn’t see from the logs what was going on.  So I spent all weekend investigating and eventually discovered that one of the root kits installed itself as a Service, look like a legitimate service, and made itself a dependency of various other service such as the Event Log Service.  There was also something about the way they did this that prevented me from viewing the “Dependencies” tab for each of the services that wouldn’t start.  Very sneaky!!!
Anyway, I cleaned up all the registry entries referring to this service, rebooted and everything came back up.  I’ve finished patching it and all is well!  Now I’m going to see if I can get them a little better protected from these kind of Zero-Day Exploits.