Hello,
The server is a Windows 2003 R2 Enterprise fully patched used for Shared Hosting purposes. It runs Hsphere control panel. I am trying to identify how the following hack is happening.
1) There are users being created with Administrative group rights. Below is the EventViewer log for the user creation:
User Account Created:
New Account Name: username
New Domain: PCNAME
New Account ID: PCNAME\username
Caller User Name: PCNAME$
Caller Domain: DOMAINNAME
Caller Logon ID: (0x0,0x3E7)
Privileges -
Attributes:
Sam Account Name: username
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x2DAB2B0
New UAC Value: 0x2DAB2B0
User Account Control: -
User Parameters: <value not set>
Sid History: -
Logon Hours: <value changed, but not displayed>
There exists entries as well where the primary group ID is changed to the Administrative group, but I am omitting such.
2) I tried to identify what Caller Logon ID: (0x0,0x3E7) means. I found out from here:
http://blog.joeware.net/2013/01/14/2667/ that I can use LogonSessions.exe to identify it.
Output from LogonSessions.exe is pasted below (snippet):
[0] Logon session 00000000:000003e7:
User name: DOMAINNAME\PCNAME$
Auth package: NTLM
Logon type: (none)
Session: 0
Sid: S-1-5-18
Logon time: 9/11/2014 12:41:53 PM
Logon server:
DNS Domain:
UPN:
4: System
316: smss.exe
364: csrss.exe
392: winlogon.exe
440: services.exe
452: lsass.exe
628: svchost.exe
756: LMAgent.exe
840: svchost.exe
1000: spoolsv.exe
1252: avagent.exe
1268: camWMIAgent.exe
1324: cissesrv.exe
1380: cpqrcmc.exe
1404: vcagent.exe
1440: svchost.exe
1480: HsQuotas.exe
1740: inetinfo.exe
1780: EmailAgent.exe
1856: snmp.exe
1884: sysdown.exe
1920: smhstart.exe
2192: svchost.exe
2388: cmd.exe
2396: hpsmhd.exe
2444: cqmgserv.exe
2464: cqmgstor.exe
2484: HSphere.exe
2596: wmiprvse.exe
2676: cmd.exe
2684: rotatelogs.exe
2692: cmd.exe
2700: rotatelogs.exe
2732: searchindexer.exe
2812: hpsmhd.exe
2824: cqmghost.exe
2852: svchost.exe
3044: cmd.exe
3052: rotatelogs.exe
3080: cmd.exe
3088: rotatelogs.exe
5452: svchost.exe
5596: GravitixService.exe
7392: csrss.exe
7232: winlogon.exe
6888: csrss.exe
9832: winlogon.exe
10388: wawrapper.exe
10352: cpqnimgt.exe
9496: msiexec.exe
6068: w3wp.exe
4748: webalizer.exe
3) I also learned from http://support.microsoft.com/kb/243330/en-us that Sid: S-1-5-18 means:
SID: S-1-5-18
Name: Local System
Description: A service account that is used by the operating system
That is all great info, but I am not sure I can put together what I have learned to attempt and get closer towards identifying how in the world users are being created and then being assigned administrative group rights.
I am a Linux person mostly, but I am comfortable following a properly explained thread regarding windows 2003 R2 Enterprise issues.
The server is fully patched and it is running Lumension security product. What's more, Norman Malware tracker, tdskiller.exe (Kaspersky) and McAfee rootkitremover.exe have been run without any apparent Malware/Virus infection
Hope someone with advanced admin skills can advise.
Thank you