Posted 21 November 2007 - 02:47 PM
I am in charge of a Windows Small Business Server 2003 SP2 which appears to have been infiltrated -- most likely thru a backdoor trojan. NAV was somehow changed/disbled so that other malware/viruses could install based on findings from running AVG.
Here are the symptoms:
1. Users appear out of no where in Active Directory -- most of which are setup as administrators
2. Open Sessions, every once in a while, show one or more of the above users being logged in (although they are very sneaky)
3. Under C:\documents and settings\ ... are the user profiles for those users in #1 & #2 that have logged in.
4. I have noticed a total of 3 services running with non-english (ASCII characters) as part of the description. Two I found in the registry and removed. The latest one is NOT in the registry (strange!!) but exists in the list of services with the following information:
I have disabled it and also deleted iexplore.ra.com.cn.
This box does not have Exchange enabled. It is only being used for SQL Server as a backend to a network application. There are 15 workstations on the network all with NAV being managed by the server.
Firewall is a cisco asa and brand new.
I have disabled all rogue users and deleted what user profile folders I'm allowed without needing to first boot to safe mode.
We are unsure as to what has been installed in a stealth manner (i.e. malware, keyloggers, rootkits, etc.) and do NOT feel secure.
I have reset ALL passwords, even on service logins, to STRONG passwords with uc, lc, numbers, symbols, and a minimum of 8 characters. I am wondering if a complete backup, OS re-install, and reconfig is in order. Or, are there any other options we have?