Mod Edit,Changed title as Hosts hijack is gone ~~boopme
Hi everyone. I'm new to the forum, but have been doing IT/Network Administration for about 5 years now. I originally posted this in the Windows NT/2003/2008 section (as this is effecting my Windows Server 2008 box), but was told to post here instead. This is literally the one and only time I have ever been stumped. Here's a breif explanation of my issue:
We have a Windows Server 2008 RT box that serves as a file, print and web server. I'm the newest Network Admin/IT Tech for this company, and have been lucky enough to inherit a slew of problems with this particular server. Right off the bat, I noticed security was slim to none (no firewall whatsoever, no anti-virus/security software installed, no proxy etc.). This didn't necessarily shock me, as we're a small company, but it wasn't right, so I began to take appropriate steps. That's when things went bad. After digging, I discovered at some point in time prior to my hiring, this particular machine was used as part of a botnet (or so it seems). This machine contains absolutely no sensitive information, so I initially wanted to simply re-image. Problem is, the previous techs didn't create a backup image, nor do we have hard copies of necessary software (Microsoft SQL Library, etc.), so a re-image is unfortunately, out of the question. I did the next best thing, and used several tools (MalwareBytes, TSSKILL, a few anti-rootkit utilities like Sophos etc.) to remove as much as I possibly could. So far, about 99% of the threat has been eliminated.
Now, my main issue: it seems our hosts file was hijacked, and is causing a redirect to a "404 nginx" page. We don't have nginx, or even Apach for that matter, installed on this machine, so I know it's some form of malicious redirect. Strangely, this nasty thing will delete my hosts file, even after I replace/repair the existing hosts file. If I fix the hosts file, our webserver will function just fine for about 5 minutes. Then, this thing (which appears to be a hidden executable I can't detect) will automatically change/reconfiger our hosts file, and the webserver redirects improperly yet again.
I'm coming to you guys for help, as I'm stuck, and I have to get this up and running in about 2 weeks. Any and all help would be appreciated! If need be, I can post a hijack this log. Thank you in advance!
Edited by boopme, 18 March 2013 - 01:49 PM.