Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

Win2K Server Compromised - Unable to Find Culprit

 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Spyware Warrior Forum Index -> Archived Spyware Removal Help Topics
View previous topic :: View next topic  
Author Message
eric3d
Newbie


Joined: 06 Apr 2005
Last Visit: 08 Apr 2005
Posts: 2
PostPosted: Wed Apr 06, 2005 8:06 am    Post subject: Win2K Server Compromised - Unable to Find Culprit Reply with quote
Hi,

I manage a Windows 2000 Server which is co-located at XO and whose sole purpose in life is to serve up web pages for a busy site (we do use Perl to process mailing list forms). At my supervisor's request FTP was left open, and someone hacked their way in and set up the server as a peer-to-peer video sharing host-- running up $2,000+/day extra bandwidth charges. We set up a new, virgin server, copied data files to the new server, set up IIS and off we went again. Somehow the culprit managed to re-access the server, and continues to run up extra bandwidth charges, but no sign of video p-2-p this time. No sign of anything, except when I view ports I can see an IP address for a European or Asian-Pacific sitting on svchost.exe. I've hardened the system with PIVX Qwik-Fix, installed Symantec Anti-Virus 9.0, run Ad-Aware and Trend Micro's House Call, and everything comes out clean. The culprit is flying below radar. Several days ago we installed a Cisco PIX 501 Firewall (we should have done long ago, but powers that be decided to "wait until it is needed..." -- jeeesh... I'm no firewall expert, so the firewall could probably be set up better, I realize. Anyone know a firewall expert?

Anyway, here is my Hijack This log. Any insight would be very very much appreciated! Here is a list of running aps that are visible in the HijackThis log:

-Symantec Antivirus
-Livestats/Collector/MySQL - parts of DeepMetrix LiveStats Visitor Analyser
-Qwik-Fix (PIVX.com Windows "hardening")
-Java (installed for Trend Micro's HouseCall)
-tahoekeysresort.com -- one of company's domain's on server
-XO (co-located Host)

Thank you!!
Eric3d





Logfile of HijackThis v1.98.2
Scan saved at 8:45:06 AM, on 4/6/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\CpqRcmc.exe
C:\Compaq\vcagent\vcagent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
E:\Program Files\livestats\livestats.exe
E:\Program Files\livestats\collector.exe
E:\Program Files\livestats\db\bin\mysqld-nt.exe
E:\Program Files\nsr\bin\nsrexecd.exe
E:\Program Files\nsr\bin\nsrpm.exe
C:\Program Files\PivX\Qwik-Fix Pro\qfloadsvc.exe
C:\WINNT\system32\MSTask.exe
C:\compaq\survey\Surveyor.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\dllhost.exe
C:\WINNT\system32\dllhost.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\Program Files\PivX\Qwik-Fix Pro\qfui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ntvdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\logon.scr
C:\Perl\bin\perl.exe
E:\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Qwik-Fix Pro User Interface] "C:\Program Files\PivX\Qwik-Fix Pro\qfui.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{05F966B0-7B8E-4C8A-A9EB-DB87C92E8ED1}: Domain = cust3.irv.xo.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4956CACC-EFEF-4B91-9FE0-7A11F35BA4CA}: Domain = tahoekeysresort.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{5140018D-8D28-415C-BE32-5ADA62F5AB58}: Domain = tahoekeysresort.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{5140018D-8D28-415C-BE32-5ADA62F5AB58}: NameServer = 65.106.1.146,65.106.7.146
O17 - HKLM\System\CCS\Services\Tcpip\..\{E5322F4E-6DBE-4066-B7EB-4B68070941F8}: Domain = irv-man.xo.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{05F966B0-7B8E-4C8A-A9EB-DB87C92E8ED1}: Domain = cust3.irv.xo.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{05F966B0-7B8E-4C8A-A9EB-DB87C92E8ED1}: Domain = cust3.irv.xo.com
O18 - Protocol: aim - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - %SystemRoot%\System32\mshtml.dll (file missing)
O18 - Protocol: shell - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - %SystemRoot%\System32\mshtml.dll (file missing)
Back to top
View user's profile Send private message Send e-mail
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Dec 2009
Posts: 4953
Location: Phx. AZ.
PostPosted: Wed Apr 06, 2005 9:59 pm    Post subject: Reply with quote
Hi and welcome to Spyware Warrior forums.

I am not well versed in these types of things, however, you do need toi update your version of HJT. I can see 2 bad lines right off:

O18 - Protocol: aim - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - %SystemRoot%\System32\mshtml.dll (file missing)
O18 - Protocol: shell - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - %SystemRoot%\System32\mshtml.dll (file missing)

An updated log with the newer version, run in normal mode may glean more info.

We'll see what we find once thats done. If I feel I can tackle it(not good with hacker type of stuff) I'll let you know, and if not, I will get one of the others to have a peek.
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
eric3d
Newbie


Joined: 06 Apr 2005
Last Visit: 08 Apr 2005
Posts: 2
PostPosted: Thu Apr 07, 2005 7:42 am    Post subject: Thanks for reply, here is log from HijackThis 1.99.1 Reply with quote
Hi TeMerc,

Thanks for your reply. The two lines you mentioned don't seem to affect Internet Explorer's ability to function properly.

Per your advice I have uploaded and run the most recent version of HiJackThis, version 1.99.1. Hope there is more information here that will point the way to the culprit!

Thanks all who help,

Eric

Logfile of HijackThis v1.99.1
Scan saved at 8:38:42 AM, on 4/7/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\CpqRcmc.exe
C:\Compaq\vcagent\vcagent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
E:\Program Files\livestats\livestats.exe
E:\Program Files\livestats\collector.exe
E:\Program Files\livestats\db\bin\mysqld-nt.exe
E:\Program Files\nsr\bin\nsrexecd.exe
E:\Program Files\nsr\bin\nsrpm.exe
C:\Program Files\PivX\Qwik-Fix Pro\qfloadsvc.exe
C:\WINNT\system32\MSTask.exe
C:\compaq\survey\Surveyor.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\dllhost.exe
C:\WINNT\system32\dllhost.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\Program Files\PivX\Qwik-Fix Pro\qfui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ntvdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\logon.scr
E:\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Qwik-Fix Pro User Interface] "C:\Program Files\PivX\Qwik-Fix Pro\qfui.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{05F966B0-7B8E-4C8A-A9EB-DB87C92E8ED1}: Domain = cust3.irv.xo.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4956CACC-EFEF-4B91-9FE0-7A11F35BA4CA}: Domain = tahoekeysresort.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{5140018D-8D28-415C-BE32-5ADA62F5AB58}: Domain = tahoekeysresort.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{5140018D-8D28-415C-BE32-5ADA62F5AB58}: NameServer = 65.106.1.146,65.106.7.146
O17 - HKLM\System\CCS\Services\Tcpip\..\{E5322F4E-6DBE-4066-B7EB-4B68070941F8}: Domain = irv-man.xo.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{05F966B0-7B8E-4C8A-A9EB-DB87C92E8ED1}: Domain = cust3.irv.xo.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{05F966B0-7B8E-4C8A-A9EB-DB87C92E8ED1}: Domain = cust3.irv.xo.com
O18 - Protocol: aim - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINNT\System32\mshtml.dll
O18 - Protocol: shell - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINNT\System32\mshtml.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HP Insight NIC Agent (CPQNicMgmt) - Hewlett-Packard Company - C:\WINNT\system32\CPQNiMgt\cpqnimgt.exe
O23 - Service: Compaq Remote Monitor Service (CpqRcmc) - Compaq - C:\WINNT\System32\CpqRcmc.exe
O23 - Service: Compaq Version Control Agent (cpqvcagent) - Compaq Computer Corporation - C:\Compaq\vcagent\vcagent.exe
O23 - Service: HP Insight Web Agent (CpqWebMgmt) - HP Corporation - C:\WINNT\system32\CPQMgmt\cpqwmgmt.exe
O23 - Service: HP Insight Foundation Agent (CqMgHost) - Hewlett-Packard Company - C:\WINNT\system32\CPQMgmt\CqMgHost\cqmghost.exe
O23 - Service: HP Insight Server Agents (CqMgServ) - Hewlett-Packard Company - C:\WINNT\system32\CPQMgmt\CqMgServ\cqmgserv.exe
O23 - Service: HP Insight Storage Agents (CqMgStor) - Hewlett-Packard Company - C:\WINNT\system32\CPQMgmt\CqMgStor\cqmgstor.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LiveStats Reporting Server (LiveStats) - DeepMetrix - E:/Program Files/livestats/livestats.exe
O23 - Service: LiveStats Data Collector (livestats Collector) - Unknown owner - E:\Program Files\livestats\collector.exe
O23 - Service: MySql (mysql) - Unknown owner - E:/Program Files/livestats\db\bin\mysqld-nt.exe
O23 - Service: NetWorker Remote Exec Service (nsrexecd) - LEGATO Software, a division of EMC. - E:\Program Files\nsr\bin\nsrexecd.exe
O23 - Service: NetWorker Power Monitor (nsrpm) - LEGATO Software, a division of EMC. - E:\Program Files\nsr\bin\nsrpm.exe
O23 - Service: Qwik-Fix Pro (qfcoresvc) - PivX Solutions, Inc. - C:\Program Files\PivX\Qwik-Fix Pro\qfloadsvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Surveyor - Compaq Computer Corp. - C:\compaq\survey\Surveyor.EXE
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
Back to top
View user's profile Send private message Send e-mail
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Dec 2009
Posts: 4953
Location: Phx. AZ.
PostPosted: Thu Apr 07, 2005 1:35 pm    Post subject: Reply with quote
OK, well I have had one of our noted experts, and MS MVP Paperghost have a peek at your thread.

His advice is to wipe the server comepletly, and have someone go thru the server logs to determine that everything is properly patched and there are no backdoors, which he feels there is a possibility of.

By me fixing the HJT logfile, its likely not to have much effect, with the way he says your server has been hacked.

And of course, once thats done, I would get that fireall tweaked as best can be done to prevent future breaches.

Wish I had better news for you, sorry.
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Spyware Warrior Forum Index -> Archived Spyware Removal Help Topics All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group