Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Windows Sbs 2003 Infiltration -- Need Help

  • Please log in to reply
No replies to this topic

#1 woodcycl


  • Members
  • 3 posts
  • Local time:08:24 AM

Posted 21 November 2007 - 02:47 PM

I am in charge of a Windows Small Business Server 2003 SP2 which appears to have been infiltrated -- most likely thru a backdoor trojan. NAV was somehow changed/disbled so that other malware/viruses could install based on findings from running AVG.

Here are the symptoms:

1. Users appear out of no where in Active Directory -- most of which are setup as administrators
2. Open Sessions, every once in a while, show one or more of the above users being logged in (although they are very sneaky)
3. Under C:\documents and settings\ ... are the user profiles for those users in #1 & #2 that have logged in.
4. I have noticed a total of 3 services running with non-english (ASCII characters) as part of the description. Two I found in the registry and removed. The latest one is NOT in the registry (strange!!) but exists in the list of services with the following information:
name: wscsvcl
path: C:\WINDOWS\iexplore.ra.com.cn
I have disabled it and also deleted iexplore.ra.com.cn.

This box does not have Exchange enabled. It is only being used for SQL Server as a backend to a network application. There are 15 workstations on the network all with NAV being managed by the server.

Firewall is a cisco asa and brand new.

I have disabled all rogue users and deleted what user profile folders I'm allowed without needing to first boot to safe mode.

We are unsure as to what has been installed in a stealth manner (i.e. malware, keyloggers, rootkits, etc.) and do NOT feel secure.

I have reset ALL passwords, even on service logins, to STRONG passwords with uc, lc, numbers, symbols, and a minimum of 8 characters. I am wondering if a complete backup, OS re-install, and reconfig is in order. Or, are there any other options we have?

Many thanks!

BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users