Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Compromised Terminal Server (S2K3) and Installation of Rummy Royale


  • Please log in to reply
No replies to this topic

#1 jmastro

jmastro

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Location:Walnut Creek, CA
  • Local time:07:47 PM

Posted 17 April 2010 - 09:07 AM

Our Terminal Server was noticed to be compromised on 4/16. It was revealed through a glance at the currest user sessions that our 'backup' user was logged on from 'JOHNSPC" (a false netbios name I'm sure). We went through the event viewer filtering for user 'backup' events. There was three items, User backup started the Application Management server, User backup installed 'Rummy Royale' from an MSI and user backup was logged off (there was never a log on).

First we changed the user's password and started in on 'Rummy Royale' we determined that it was also running as a service and installed in "C:\Rummy Royale". We stopped/unregistered the server, uninstalled the program and proceeded to do forensics on the user account itself. User backup ntuser.dat was last modified on 2/18/2010, no recent documents and one non-standard favorite AOL Mail. Browsing to the 'My Documents' folder inside the user profile reveals 'SYSTEM's Pictures' which is worrysome.

As of right now, attempt at running gmer.exe for rootkits failed unless using random .exe. RKill shows nothing, and superantispyware will not start unless using random exe (alternate start). A little forensics help would be greatly appreciated on this server based terminal server.

Thank you!

BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users