Posted 27 February 2012 - 10:26 PM
I have a newer Windows Server 2008R2 server that has a serious infection. I noticed our internet speed was very slow. I checked the logs on our Sonicwall firewall and the IP address for this server transferred 962GB of data in just over 3 days (usually its in the 100 of MB's). Using the connection monitor in the firewall I can see thousands of connections to random IP addresses mostly in Europe and Asia. Everything was using port 3389 (terminal server).
Around the same time some users reported that a program called "HideDragon" pops up when they login to the server (this is also a terminal serveR). I removed it using msconfig but it keeps coming back. I also noticed a program call DuBrute running which pegs my firewall at 100% usage. I can manually kill the process but it keeps coming back.
So far I've run a complete scan with latest version of Symantec Endpoint and Microsoft Safety scanner. Both come back clean. I've changed all passwords including local admin accounts and user accounts. I blocked all outgoing traffic on port 3389 and this has restored the internet bandwidth so the users are happy, but whatever is happening is still lurking behind the scene.
I can't post a DDR log because it doesn't support Server 2008. I'm leary of running any scanners that aren't designed for a server os, but I will give it a shot.
My research points to a virus\trojan called Morto, but I don't have any of the registry keys or files listed.
What is my next step?
Thanks in advance for your time.