Cleaning up after a breach – servers keep using rundll32.exe to talk to compromised server

Hi all,

I have been madly trying to learn everything with net security and there is so much out there and so many ways that malicious users can hack network and servers.

Unfortunately a little while ago we were breached and we discovered a server talking to the internet it wasn't superposed to.

Now in tighting our security stance we have enabled some ACL rules to stop servers cross talking between VLANs. We are finding (most) our DMZ Windows IIS servers are talking back to this main SQL server over 445 when the server is just a database server. Note this server was removed and fresh install of SQL installed and database migrated (Although I do have a backup to investigate it further)

It appears as though our servers in the DMZ zone have a beacon installed on them to talk back to this server, after installing sysmon we now see the process is rundll32.exe keeps trying to ping and use port 445 every 5 minutes.

How can I find out what is calling rundll32.exe? how can I understand this beacon better and potentially get more information about what it is trying to do?

I also tried to spin up the backup of the old SQL server (in a closed environment) to find more information, there is named pipes under services and winlogon.exe trys to talk to an IP on the internet every 10 minutes (as mentioned this server no longer exists but can restore to investigate). I would like to try and figure out more info on this breach.

Any help from anyone is so greatly appreciated. If this is not the right forum please let me know where I would get some help from? Thank you

Touch here for the full post on Network Security Noblemen tumblr

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s