adaquino
2007-10-01, 01:38
Hi,
I am the administrator of a win2k server with several web sites running asp and asp.net 1.1 & 2.0. On the same server I run also an instance of sql server 2000 and merak mail server.
The os and all the other softwares are updated and patched very very frequently.
The server is behind an hardware firewall and only port 80 & 21 are opend to the whole world, while I can access terminal services only from a predefined IP.
Recently I discovered that an hacker has installed some malware on the server. I don't know how it was possible. Perhaps another server infected on the same network behind the firewall or some bug in one of the sites hosted. I double checked all the web and ftp logs but I couldn't find anything.
I discovered the problem roughly after 24 hours. The malware installed was htran.exe
https://forum.eviloctal.com/simple/index.php?t6482.html
It was running in several instances under iis account (IWAM_machine name) and SYSTEM account. There were also some instances of command.com. The hacker also run on the system a copy of cain & abel software to force the users's passwords. He also changed the ASPNET account in order to make the asp.net processes run with administrators proviledges.
Anyway: I stopped all the malware processes, reset the ASPNET account, changed all the administration pwds and run several antivirus and spyware softwares.
Now the problem: when I start up the server, I have an hidden system32\winlogon.exe instance running. The file is the legitimate winlogon file (I checked the certificates, size and modification date), but it is running as an hidden process alongside with 2 other system32\winlogon visible processes (one for the interactive session and one for my terminal service connection). There are no other hidden processes. (I am using HiddenFinder & Spyware Browser)
When I try to force kill the hidden process, suddendly ALL the system processes become hidden. iis, sqlserver, aspnet and so on. Only my current session processes are visible.
The hidden processes are not restarted as hidden. They just become hidden (the PID is not changed). And they continue working perfectly. The hidden winlogon process instead is not restarted. If I restart one of the hidden servers (i.e. iis), all the related processes are started as normal visible processes.
If I restart the server, at the first login I have again the winlogon hidden process.
Can anyone help me understanding what's happening? Please consider that restarting the server in safe mode is difficult for me as I am far away from the place where the server is housed. So this should be my last option.
Thank you very much
I am the administrator of a win2k server with several web sites running asp and asp.net 1.1 & 2.0. On the same server I run also an instance of sql server 2000 and merak mail server.
The os and all the other softwares are updated and patched very very frequently.
The server is behind an hardware firewall and only port 80 & 21 are opend to the whole world, while I can access terminal services only from a predefined IP.
Recently I discovered that an hacker has installed some malware on the server. I don't know how it was possible. Perhaps another server infected on the same network behind the firewall or some bug in one of the sites hosted. I double checked all the web and ftp logs but I couldn't find anything.
I discovered the problem roughly after 24 hours. The malware installed was htran.exe
https://forum.eviloctal.com/simple/index.php?t6482.html
It was running in several instances under iis account (IWAM_machine name) and SYSTEM account. There were also some instances of command.com. The hacker also run on the system a copy of cain & abel software to force the users's passwords. He also changed the ASPNET account in order to make the asp.net processes run with administrators proviledges.
Anyway: I stopped all the malware processes, reset the ASPNET account, changed all the administration pwds and run several antivirus and spyware softwares.
Now the problem: when I start up the server, I have an hidden system32\winlogon.exe instance running. The file is the legitimate winlogon file (I checked the certificates, size and modification date), but it is running as an hidden process alongside with 2 other system32\winlogon visible processes (one for the interactive session and one for my terminal service connection). There are no other hidden processes. (I am using HiddenFinder & Spyware Browser)
When I try to force kill the hidden process, suddendly ALL the system processes become hidden. iis, sqlserver, aspnet and so on. Only my current session processes are visible.
The hidden processes are not restarted as hidden. They just become hidden (the PID is not changed). And they continue working perfectly. The hidden winlogon process instead is not restarted. If I restart one of the hidden servers (i.e. iis), all the related processes are started as normal visible processes.
If I restart the server, at the first login I have again the winlogon hidden process.
Can anyone help me understanding what's happening? Please consider that restarting the server in safe mode is difficult for me as I am far away from the place where the server is housed. So this should be my last option.
Thank you very much