Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Server 2008 Enterprise - DNS hijacking, GPO locked, registry locked, help


  • Please log in to reply
3 replies to this topic

#1 pom355

pom355

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 09 April 2013 - 07:42 PM

We have a nasty form of malware on our network. It has infected our domain controller (Server 2008 Enterprise) and our local workstations (Windows 7). I don't know what it is, but I know it's there. It keeps rewriting DNS settings, it changes passwords, it locks registry keys, it keep GPO from processing, and each time I get one issue fixed, it creates another one. I have scanned with every possible scanner and nothing is showing up. I am "unjoining" the workstations from the domain just to keep them operational. Can someone help?



BC AdBot (Login to Remove)

 


#2 DarkSnake-Kobra

DarkSnake-Kobra

  • Members
  • 633 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Iowa, USA
  • Local time:07:20 AM

Posted 15 April 2013 - 04:38 PM

:welcome:

I don't think we provide commercial support here. Your I.T. staff should be looking into this. You'll have to wait for a staff member to chime in on if this is accurate.

#3 pom355

pom355
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 15 April 2013 - 04:50 PM

I am the IT staff. I am asking for assistance. I am really struggling with some nasty stuff. This is not my first rodeo with malware. What is on here is very sophisticated, and nothing so far is picking it up or stopping it, including clean reinstalls. Here is an excerpt for a staff member to read:

 

I will tell you everything I have done, in the exact order, so you know what steps I have taken. 

We are running McAfee Enterprise 8.8 and Malwarebytes Corporate on the primary server and local workstations. We also have a SonicWall TZ210 with every subscription they have. We have a primary server (Dell PE 2900), ten workstations (Dell OptiPlex 360), one laptop (Sony VAIO), and one backup server (PE SC420). 

Our network started getting really slow a few weeks ago. Then all the DNS settings kept getting changed. As I began to investigate the DNS issue, and once I would get that solved, then other things started happening like GPO not processing, Administrators accounts not being elevated, unable to install any security or malware programs, Windows update turned off and then back on, profiles not syncing to the server, file and sharing permissions changed, guest account activated on the domain controller, etc. Then local policies started being overwritten, Windows updates rolled back on the local machines, and DNS settings still being re-written. The Domain Admins were locked out of GPO, and there were registry items that are completely locked and inaccessible. Windows Firewall settings overwritten or disabled, or re-enabled with crazy settings. We changed the Admin passwords many times during all this. IPV6 tunnels were everywhere despite IPV6 being turned off, and Microsoft Fix to disable IPV6 applied. Each time I solved any one of these challenges, another set of challenges arose.

I “unjoined” three desktops from the domain, and started working on those desktops. I changed the DNS settings where they would not communicate with the server. Ran MiniTools and just about any other tool I could get my hands on. Anytime I began work on these workstations, the primary server went crazy with activity despite the fact they were not supposed to be communicating and they were “unjoined” from the domain.

I have ran many scanners, and none have picked up anything in normal, safe mode, and safe mode with networking on the servers and workstations. I have ran these scanners:
•      Sophos
•      Kaspersky
•      McAfee Stinger
•      Malwarebytes
•      Windows Security Scanner
•      Windows Malicious Removal tool

We have two separate internet lines from our DSL provider. I took five workstations off the primary network to do reinstalls. I also took the backup server off the network to do reinstalls. My plan was to reinstall each  machine and put them on the second route which is supposed to be clean, as there are no other machines or peripherals on that route. I purchased a brand new router, brand new switch, reverted the modem back to factory defaults, and set strong administrator passwords (as always). I then reinstalled the five desktops and backup server making sure not to put any of them on the second “clean” network until McAfee and Malwarebytes were installed. I did not put any USB or jump drives in any of the units.

I have not put any of the desktops on the second route yet (all desktops are running Windows 7 32-bit – they are OptiPlex 360). This route is a static route with one primary WAN address.  While working on the server (Windows 2008 Enterprise R1 on an old PowerEdge SC420) – I did the reinstall, deleted all partitions, reformatted new partitions, changed local policy to disable autoruns and enable UAC. Prior to installing any server roles or Windows Updates, I installed McAfee 8.8 from installation from CD (the CD was burnt on my laptop which according to all scans is not infected…its also not showing any signs of infection). McAfee put itself into protection mode, and when McAfee needed to update definitions, I put it on the “clean” route, and as soon as it hit the internet, the screen flashed, and the DNS settings were changed. The definitions did not update, and upon restart, the Guest account was enabled, the Administrator could no longer install security programs. When trying to copy Malwarebytes Chamelon to the desktop of the server, it would not let me copy two files, svchost and winlogon from the Chamelon directory, despite trying everything. 

The interesting thing that happened while the DNS settings were changed was... the IP address on the backup server was set as the LAN IP address of the primary server on the main route, even though it was selected to obtain the address automatically. I have all the networking equipment here in my office, and I can assure you that the two routes are not communicating with each other on the LAN side.

I still have not put any of the five workstations referenced back on the network because I am afraid they will get infected, if they are not already. I have not put any burnt CD (only MS Win7 install CD) or USB drive into these desktops. I have disabled AUtoruns and enabled UAC.

I do want to mention these few items:
•      I made the mistake of using an admin password on the backup server reinstall that I used previously on the main network (strong, 17 character password).
•      I burned the CD with McAfee from my laptop to use in the server reinstall.
•      My laptop was on the wireless on the second route earlier in the day, however, it was not on the route when I connected the clean reinstalled server and it instantly got infected. 

Last night I tried to run the MS Malicious offline scanner on my laptop (Sony VAIO). I was able to run both Microsoft Scanners in normal mode (Safety & Malicious), but I was not able to boot the computer to the offline scanner, despite many attempts. Both scans showed no infection. Malwarebytes scans show no infection. McAfee scans show no infection.



#4 tgreene5

tgreene5

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 26 April 2013 - 10:30 PM

Can you run any type of a "malware" program on your server?  Do you have RRAS enabled on the server or have remote connection enabled?  Can you give a listing of services (thru Task Manager) that are running?  This may help pinpoint what is on it.  Another question, have you tried uninstalling McAfee and putting another one on?  Say Norton?  Just to try to see what is on the server


Edited by tgreene5, 26 April 2013 - 10:32 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users