Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Server 2008R2 - Serious Infection\Hack


  • This topic is locked This topic is locked
2 replies to this topic

#1 aschrades

aschrades

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:41 PM

Posted 27 February 2012 - 10:26 PM

Hello,

I have a newer Windows Server 2008R2 server that has a serious infection. I noticed our internet speed was very slow. I checked the logs on our Sonicwall firewall and the IP address for this server transferred 962GB of data in just over 3 days (usually its in the 100 of MB's). Using the connection monitor in the firewall I can see thousands of connections to random IP addresses mostly in Europe and Asia. Everything was using port 3389 (terminal server).

Around the same time some users reported that a program called "HideDragon" pops up when they login to the server (this is also a terminal serveR). I removed it using msconfig but it keeps coming back. I also noticed a program call DuBrute running which pegs my firewall at 100% usage. I can manually kill the process but it keeps coming back.

So far I've run a complete scan with latest version of Symantec Endpoint and Microsoft Safety scanner. Both come back clean. I've changed all passwords including local admin accounts and user accounts. I blocked all outgoing traffic on port 3389 and this has restored the internet bandwidth so the users are happy, but whatever is happening is still lurking behind the scene.

I can't post a DDR log because it doesn't support Server 2008. I'm leary of running any scanners that aren't designed for a server os, but I will give it a shot.

My research points to a virus\trojan called Morto, but I don't have any of the registry keys or files listed.

What is my next step?

Thanks in advance for your time.

-Adam

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:41 AM

Posted 02 March 2012 - 10:34 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:41 AM

Posted 07 March 2012 - 07:19 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users