Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacked hosts file redirecting web server.


  • This topic is locked This topic is locked
4 replies to this topic

#1 AVTransfer

AVTransfer

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 14 March 2013 - 12:37 PM

Hi everyone. I'm new to the forum, but have been doing IT/Network Administration for about 5 years now. This is literally the one and only time I have ever been stumped. Here's a breif explanation of my issue:

We have a Windows Server 2008 RT box that serves as a file, print and web server. I'm the newest Network Admin/IT Tech for this company, and have been lucky enough to inherit a slew of problems with this particular server. Right off the bat, I noticed security was slim to none (no firewall whatsoever, no anti-virus/security software installed, no proxy etc.). This didn't necessarily shock me, as we're a small company, but it wasn't right, so I began to take appropriate steps. That's when things went bad. After digging, I discovered at some point in time prior to my hiring, this particular machine was used as part of a botnet (or so it seems). This machine contains absolutely no sensitive information, so I initially wanted to simply re-image. Problem is, the previous techs didn't create a backup image, nor do we have hard copies of necessary software (Microsoft SQL Library, etc.), so a re-image is unfortunately, out of the question. I did the next best thing, and used several tools (MalwareBytes, TSSKILL, a few anti-rootkit utilities like Sophos etc.) to remove as much as I possibly could. So far, about 99% of the threat has been eliminated.

Now, my main issue: it seems our hosts file was hijacked, and is causing a redirect to a "404 nginx" page. We don't have nginx, or even Apach for that matter, installed on this machine, so I know it's some form of malicious redirect. Strangely, this nasty thing will delete my hosts file, even after I replace/repair the existing hosts file. If I fix the hosts file, our webserver will function just fine for about 5 minutes. Then, this thing (which appears to be a hidden executable I can't detect) will automatically change/reconfiger our hosts file, and the webserver redirects improperly yet again.
I'm coming to you guys for help, as I'm stuck, and I have to get this up and running in about 2 weeks. Any and all help would be appreciated! If need be, I can post a hijack this log. Thank you in advance!



BC AdBot (Login to Remove)

 


#2 AVTransfer

AVTransfer
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 15 March 2013 - 11:17 AM

Update:

 

I ran a selective startup with bare essentials in order to try to pinpoint whatever is changing the hosts file. Upon doing so, I can't resolve the server from it's web address (a standard unable to connect page is displayed) from a workstation. After this, I ran HostsXpert in order to restore my hosts file. It restores it, but I'm still unable to connect to our webserver from an external source. Really stumped here. Any help would be very much appreciated!



#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:51 PM

Posted 15 March 2013 - 10:41 PM

Hello,please repost your second question in the Networking forum you will be assisted better there as at first glance this now looks like a malware or Hosts file issue ,not a connection problem.


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 AVTransfer

AVTransfer
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 18 March 2013 - 10:38 AM

Will do! Thank you!



#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:51 PM

Posted 21 March 2013 - 09:40 AM

Closed this thread.


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users