We have a huge network of computers (about 600+) using Class B IP
address range (and they all have public IP addresses i.e. no 10.x.x.x or
192.168.x.x). All the computers are behind a router and a private
internet gateway which controls the outgoing and incoming internet
traffic. Also, mostly all the computers on the network run
Microsoft-based OS (Win2k and WinXP) and a few computers (servers) run
Linux which act as Firewalls, Routers etc. These servers act as gateway
as well as firewall to these computers don't allow incoming traffic i.e.
all ports are blocked except for a few which run web servers etc. We
have tried logging into our computers from outside our network but we
cannot gain access to it as there's a firewall and a gateway, but all
the computers within the corporate network can communicate with each other.
Yesterday, a hacker (prolly from Norway) gained access to two of our
computers which run Win 2K Prof and Win NT 4.0 Workstation resply
bypassing the Firewall. We are wondering how the person gained access to
our network even though there was a firewall in between our workstation
on the network and the hacker's computer. Those two computers had the
Local Computer's Administrator's password blank and we guess that's what
the hacker used to gain access to the files using NetBIOS. The hacker
somehow installed WinVNC client and some mIRC script (RUNDLl32.exe) onto
those two machines. We were shocked to see him controlling the computer
as if he/she was actually sitting in front of the computer. We
identified the hacker's computer's IP address and found that his IP
originated from Norway and the server software WinVNC was sending out
packets to that IP address and waiting for the hacker to connect to the
system. We simulated this attack onto another computer and came to a
conclusion that the hacker (1) used netbios protocol to connect to
the computer to transfer files using local administrator login with
blank password (2) installed winvnc as a service (3) rebooted the
computer somehow and gained access as a remote administrator and took
the control over the computer and started using it as if he/she were
sitting in front of that computer. We saw a batch file that executed
winvnc with -install arguement that installed itself as an NT service
and also noticed that there wasn't any server software installed to
facilitate the work of the hacker to provide a service like remote
administrator (like Remote Administrator 2.1 -- www.radmin.com) to allow
control over that computer.
We are not clear at a couple of points:
(1) how did the hacker start the program remotely?
(2) how did the hacker shutdown/reboot the computer without using any
software like remote administrator 2.0 (www.radmin.com)? Is there any
way to shut down the computer using the basic microsoft's built-in
networking packages like NET command?
We are very much scared and we are inviting suggestions/solutions from
the people out here on this planet.
Responses greatly appreciated.
Thank you very very much
(Asst. Network Administrator)