Hello, Today, when i have checked my server, i have seen in My Server (Windows-Server 2003 Stnd. with SP-2)that one unknows User is showing on my Login Screen. Its name was "zj2631$" and it got Administrator Privilages. it has accessed these folders and files named are:- saomiao --> 1. 扫描 --> jimo.bat --> ######################################### @echo off color B title ¼ÅįרÓðæ echo 125.109.1.1 125.109.255.255 >ip.txt ip.txt pause copy %windir%\system32\cmd.exe cmd.exe >nul FOR /F "eol=A tokens=1,2" %%a in (ip.txt) do s.exe syn %%a %%b 80 /save for /f %%a in ('findstr /i "Open" result.txt') do echo %%a>>host.txt del Result.txt >nul ########################################## 2. saomiao --> a) cmd.exe b) IP.txt c) jimo.bat d) Result.txt where these files contains the following things:- a) cmd.exe --- it's Command promt. b) IP.txt ---- it's showing the following list:- 125.109.1.1 125.109.255.255 c) jimo.bat ---- its showing the following things:- @echo off color B title Special edition of Lonely echo 125.109.1.1 125.109.255.255 >ip.txt ip.txt pause copy %windir%\system32\cmd.exe cmd.exe >nul FOR /F "eol=A tokens=1,2" %%a in (ip.txt) do s.exe syn %%a %%b 445 /save for /f %%a in ('findstr /i "Open" result.txt') do echo %%a>>host.txt del Result.txt >nul d) Result.txt It's showing the following things:- ---------------------------------------------------------------------------------- Performing Time: 5/18/2009 4:29:40 --> SYN Scan: About To Scan 65279 IP Using 1 Thread 125.109.3.37 135 Open 125.109.2.229 135 Open 125.109.3.10 135 Open 125.109.3.201 135 Open 125.109.3.229 135 Open 125.109.4.41 135 Open 125.109.4.155 135 Open 125.109.6.84 135 Open 125.109.6.183 135 Open 125.109.6.241 135 Open 125.109.6.168 135 Open 125.109.7.87 135 Open 125.109.8.48 135 Open 125.109.8.120 135 Open 125.109.8.207 135 Open 125.109.7.118 135 Open 125.109.9.34 135 Open 125.109.9.115 135 Open 125.109.9.52 135 Open 125.109.10.108 135 Open 125.109.10.89 135 Open 125.109.11.111 135 Open 125.109.11.27 135 Open 125.109.5.124 135 Open 125.109.12.84 135 Open 125.109.13.3 135 Open 125.109.12.73 135 Open 125.109.6.107 135 Open 125.109.10.237 135 Open 125.109.13.71 135 Open LastIP Scanned: 125.109.15.133:135 125.109.13.176 135 Open 125.109.13.224 135 Open 125.109.13.228 135 Open 125.109.13.127 135 Open 125.109.15.0 135 Open 125.109.14.240 135 Open 125.109.13.214 135 Open 125.109.14.198 135 Open 125.109.15.85 135 Open 125.109.6.183 135 Open 125.109.15.93 135 Open 125.109.8.123 135 Open Scan 3716 IPs Complete In 0 Hours 0 Minutes 5 Seconds. Found 42 Hosts ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- Performing Time: 5/18/2009 4:30:3 --> SYN Scan: About To Scan 65279 IP Using 1 Thread 125.109.2.28 445 Open 125.109.4.155 445 Open 125.109.5.124 445 Open LastIP Scanned: 125.109.18.173:445 Scan 4524 IPs Complete In 0 Hours 0 Minutes 2 Seconds. Found 3 Hosts ------------------------------------------------------------------------------- I have run the Hijekthis v-2.0.2 and it shows this result:- #################################################################### Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:57:51 PM, on 5/18/2009 Platform: Windows 2003 SP2 (WinNT 5.02.3790) MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe D:\programs\webserver\apache_2.0\Apache2\bin\Apache.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\Microsoft ISA Server\isastg.exe C:\Program Files\Microsoft SQL Server\MSSQL$MSFW\Binn\sqlservr.exe D:\programs\webserver\apache_2.0\Apache2\bin\Apache.exe D:\programs\php\xampp_1.6.3a\mysql\bin\mysqld-nt.exe C:\programs\dbserver\mysql\MySQL Server 5.0\bin\mysqld-nt.exe C:\program files\internet explorer\IEXPLORE.EXE C:\WINDOWS\system32\SVCHOST.EXE c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Microsoft ISA Server\mspadmin.exe C:\WINDOWS\system32\calc.exe C:\Program Files\Microsoft ISA Server\W3Prefch.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE D:\programs\ruby\InstantRails\InstantRails.exe D:\programs\webserver\apache_2.0\Apache2\bin\ApacheMonitor.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe D:\programs\php\xampp_1.6.3a\mysql\bin\winmysqladmin.exe D:\programs\TortoiseSVN\bin\TSVNCache.exe D:\programs\php\xampp_1.6.3a\xampp-control.exe D:\programs\php\xampp_1.6.3a\apache\bin\apache.exe D:\programs\php\xampp_1.6.3a\apache\bin\apache.exe D:\programs\Openfire_exodus\bin\openfire.exe D:\programs\Openfire_exodus\bin\openfired.exe C:\WINDOWS\System32\logon.scr C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\rdpclip.exe C:\WINDOWS\Explorer.EXE D:\programs\ruby\InstantRails\InstantRails.exe D:\programs\webserver\apache_2.0\Apache2\bin\ApacheMonitor.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\programs\java\jdk1.5\bin\java.exe D:\programs\ruby\INSTAN~1\MySql\bin\mysqld.exe D:\programs\php\xampp_1.6.3a\mysql\bin\winmysqladmin.exe C:\programs\java\jdk1.5\bin\java.exe C:\WINDOWS\system32\mmc.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = res://shdoclc.dll/softAdmin.htm R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://192.168.0.10/mantis O4 - HKLM\..\Run: [Instant Rails] "D:\programs\ruby\InstantRails\InstantRails.exe" O4 - HKLM\..\Run: [DWPersistentQueuedReporting] C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user') O4 - Startup: ACRstartup.bat.lnk = D:\programs\webserver\ACRtomcat\bin\startup.bat O4 - Startup: is-7L4AI.lnk = C:\Documents and Settings\Administrator\Desktop\Virus Removal Tool\is-7L4AI\startup.exe O4 - Startup: Shortcut to openfire.exe.lnk = D:\programs\Openfire\bin\openfire.exe O4 - Startup: Shortcut to startup.bat.lnk = D:\programs\webserver\jakarta-tomcat-5.5.9\bin\startup.bat O4 - Startup: WinMySQLadmin.lnk = D:\programs\php\xampp_1.6.3a\mysql\bin\winmysqladmin.exe O4 - Global Startup: Monitor Apache Servers.lnk = D:\programs\webserver\apache_2.0\Apache2\bin\ApacheMonitor.exe O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O15 - ESC Trusted IP range: http://203.187.242.74 O15 - ESC Trusted IP range: http://61.12.3.82 O17 - HKLM\System\CCS\Services\Tcpip\..\{B5C92C0C-8B57-4AD3-9E33-70F896F62954}: NameServer = 203.196.128.4,203.196.128.5 O23 - Service: Apache2 - Apache Software Foundation - D:\programs\webserver\apache_2.0\Apache2\bin\Apache.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: mysql - Unknown owner - D:\programs\php\xampp_1.6.3a\mysql\bin\mysqld-nt.exe O23 - Service: MySQLCMS - Unknown owner - C:\programs\dbserver\mysql\MySQL.exe (file missing) O23 - Service: Network Service (Ntwthes) - Unknown owner - C:\Program.exe (file missing) O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oraclexe\app\oracle\product\10.2.0\server\BIN\omtsreco.exe O23 - Service: OracleServiceXE - Oracle Corporation - c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE O23 - Service: OracleXEClrAgent - Unknown owner - C:\oraclexe\app\oracle\product\10.2.0\server\bin\OraClrAgnt.exe O23 - Service: OracleXETNSListener - Unknown owner - C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - D:\programs\webserver\Tomcat 5.0\bin\tomcat.exe (file missing) O23 - Service: XAMPP Service (XAMPP) - Unknown owner - D:\programs\php\xampp_1.6.3a\service.exe -- End of file - 5823 bytes #################################################################### Can someone do some favour to remove or check this, what happen with that system. On Server MacAfee Anti-Virus is running and when i have checked this from my Laptop where AVG is installed, it shows one Alert Message while accessing that server for a virus: Trojan Horse Genric5.hnp
serves you right honestly.. you should use a secure system for a server. That's trashed.. only solution is a ground up reinstall.. far too compromised as the exploit has allowed the person in and they have replaced core parts of your operating system.. and haven't cared that you can see the changes..... that means there are more subtle changes.. like user accounts with wheel/admin rights also.. game over.. reinstall. I suggest something designed for servers like slackware. And take it offline immediately.. you are running hidden ftp servers and you don't want to go to prison for distribution of illegal content do you? can I make a quick comment.. I hope you aren't running this server for a business.. or commercially.. If you can't read from the scans that it's beyond saving you really shouldn't be in charge of a remotely administered server. You can use this as an opportunity to learn about server rootkits and remote exploits... and why 95% of the internet and servers don't run windows server rubbish.
Hi varnull, I am really thankful for your valuable Comments. I appreciate what have you said, but that is live Server which i can not re-install. Almost 100 Users are using that Server, many Sites has been hosted from that Server. So, Re-installation and its again Configuration takes around 6-7 days time and we can not wait our resources to use Server. So, we need help to repair that Server and make it safe by that kind of Attacks in future. Kindly give some info about Remote exploits, Wheel/admin Rights and how can we protect our server by these kind of attacks. i have blocked the IP range 125.109.1.1 125.109.255.255 which are opened by this attack, by ISA Server for all protocol. what should i do to resolve its infection and remove it from my server. Your Valuable Suggestions are always Welcome.. Thanks & Regards
