Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows server 2003 R2 compromised, trying to clean


  • Please log in to reply
5 replies to this topic

#1 snm77

snm77

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 06 June 2013 - 02:05 PM

Google reported to me that one of our servers was serving up malware.  A counterpart who is the usual admin for the system found a malcious php script on the box, removed it, and shut down the web server.  He also ran patches from Windows update (not microsoft update), and I enabled the Windows firewall once he determined the infection was going to take more time to remove than he had.

 

1. I have attempted to install malware bytes AM and rootkit remover - the AM installs but gives an error that it cannot find the mbam.exe executable when you try to run it.  The rootkit remover won't install.  Likewise, I attempted to install a rootkit remover from Trend Micro, and that install also failed.

 

 

2. I downloaded rkill from this website, the version named iExplore.exe since I was having problems with other security software refusing to execute, see point 1.

Here is the rkill log:

Rkill 2.5.3 by Lawrence Abrams (Grinler)

Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 06/06/2013 11:22:00 AM in x86 mode.
Windows Version: Microsoft Windows Server 2003 R2 Service Pack 2
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Backup Registry file created at:
 C:\Documents and Settings\smarouchoc\Desktop\rkill\rkill-06-06-2013-11-22-03.reg
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * No issues found.
 
Checking Windows Service Integrity: 
 
 * No issues found.
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * HOSTS file entries found: 
 
  127.0.0.1       localhost
 
Program finished at: 06/06/2013 11:22:23 AM
Execution time: 0 hours(s), 0 minute(s), and 23 seconds(s)
 
Here are the contents of the .reg file it created:
REGEDIT4
 
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe]
"Debugger"="ljquhe_.exe"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe]
"Debugger"="vuxrwt_.exe"
 
I checked the registry at this location, and there are quite a few security program executables listed here with debugger options set to bogus .exe files - I presume this is why none of these security softwares will run.  The entires that rkill found are STILL in the running registry, and I cannnot remove them, I get the error: Unable to delete all spcified values 
 
 
3.  I managed to install Secunia PSI - the link in secunia to install Microsoft update (versus windows update) took me to the website, and I was able to do everything right up until I tried to run the active x script it downloaded - no dice, won't install.
 
4.  My browsers won't go to windowsupdate.microsoft.com on their own - I assume secunia has a link the malware writer doesn't cover in their code.  Other than that, I seem to have no issues getting to websites.  I checked C:\Windows\system32\drivers\etc\hosts and \lmhosts, and neither appear to have any entires other than the default ones.
 
5. When i rebooted, data execution prevention stopped a program from running:
To help protect your computer, Windows has closed this program.
Name:      Talecarr scutibra graunche
I will search the forums for this, but my hopes are not high.
 
I am going to attempt to rename mbam.exe to iExplore.exe to see if I can get it to run.  I need help determining what I should do next (first?) to try to get this system cleaned up.  I do not have easy physical access to the machine, it's a 20 minute drive away, so I have done nothing with safe mode yet.  

Thanks in advance for your time and help!!

 

Steve

 

UPDATE: One more piece of information, looking at the administrators group, there is an account called "noob" in there (heh) which no one can account for, so I've removed it from the admin group, and disabled the account.


Edited by Orange Blossom, 06 June 2013 - 02:41 PM.
Moved from Windows NT/2000/2003/2008 to AII. ~ OB


BC AdBot (Login to Remove)

 


#2 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:02:35 AM

Posted 06 June 2013 - 02:50 PM

it looks like something messed up your associations, and those .exe files in the security section of the registry definitely don't look right to me.  I know that there are some files that will fix your associations, though it looks like you're only having issues with security-related applications, so chances are, this could bea rootkit, but there's no telling till we have a better look. 


The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#3 snm77

snm77
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 06 June 2013 - 02:57 PM

Yeah, this is a fairly well known way to prevent software from running, I've seen it before.  

 

I did manage to get malware bytes to run by renaming  mbam.exe to iexplore.exe (it even updated to latest dats), and it removed several things. I'm still getting the DEP problem, so all is not well.  But I CAN run mbam.exe as itself now, and all the bad entreis that were in the registry are gone - for now. 

Here is the log from the malware bytes run:

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.06.06.08
 
Windows Server 2003 Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.18702
smarouchoc :: MAIL [administrator]
 
6/6/2013 3:14:48 PM
mbam-log-2013-06-06 (15-14-48).txt
 
Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 489587
Time elapsed: 25 minute(s), 51 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 6
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\housecalllauncher.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe (Security.Hijack) -> Quarantined and deleted successfully.
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 1
HKLM\SYSTEM\CurrentControlSet\SERVICES\SCHEDULE\PARAMETERS|ServiceDll (Hijack.Schedsvc) -> Bad: (%SystemRoot%\system32\schedsvcsgn.dll) Good: (%SystemRoot%\system32\schedsvc.dll) -> Quarantined and repaired successfully.
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 3
C:\Program Files\Merak\html\mail\64.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Merak\html\mail\smkc.exe (Trojan.Banker) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\schedsvcsgn.dll (Hijack.Schedsvc) -> Delete on reboot.
 
(end)


#4 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:02:35 AM

Posted 06 June 2013 - 04:09 PM

The DEP thing is interesting; I'm not sure I've ever seen it pop up in my life.  I'm just curious, what antivirus is being used on this server?  And also, what has it managed to find?  If you have not scanned with it for a while, then i'd recommend you run a scan.  Reply back with what you find.  And good thing you disabled that "noob" account, because somebody's not in their right mind if they would call an account that, especially in the administrator's group!  If no one can account for it, then it's got to be a piece of malware that does that to servers, though in all of the malware analyses I've read, I have never seen that as a symptom of any particular variant. 


The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#5 snm77

snm77
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 06 June 2013 - 06:09 PM

There was no AV on this server (ugh), but even if there had been, it would have done no good.  The thing was open to the internet on ports 80. 443, 445, 3389, 25, and 110.  There was a network firewall between it and the Internet, but all those ports were jsut open.  No one patched the server for more than a year - and it had sql installed.   There was no way such a machine could go un-p0wn3d, with active AV or not.  I have class tonight, if I get done at a reasonable hour, I'll VPN into the network and see what else I can do to get more information.



#6 snm77

snm77
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 07 June 2013 - 08:31 AM

I discovered today that the person that said they patched the system didn't read the results too closely - the patches failed.  I turned on automatic patching and attempted to install the 90 patches the system is missing, and while it downloaded and attempted to install the patches, all 90 failed to install.

 

I also ran a MS fixit to disable Doctor Watson.  It appears there is a malicious verison of dr watson running - it seems to be too large for the actual dwwm.exe file by a bit, and if I bring over a copy of the REAL executable and run it, it locks the system.  I still need help on this, for sure.

 

UPDATE:  after running the ms fixit to shut off Dr Watson on server 2003, the Dr. Watson process was still running.  I did a shutdown -r -f on the server, and once it had finished rebooting (I'm remote, mind), I connected using mstsc /admin so I'd be in at the console.

 

I still get the 

To help protect your computer, Windows has closed this program.
Name:      Talecarr scutibra graunche
message on start up, but I was finally able to get to Microsoft Update and patches are installing successfully, at least that's what the system now claims.  I CANNOT get to Windows Update directly through the link in IE8 - but if I ilnk to it from the "automatic update" properties page on My COmputer, I can get to it and install software.
 
While patching, I got an error that Windows - Virtual Memory Minimum Too Low, the system is low on virtual memory, Windows is increasing the size of your virtual memory paging file.  During this process, memory requests for some applications may be denied. So far, patches are still installing while this is going on.

Edited by snm77, 07 June 2013 - 09:23 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users