New Virus/Malware ...

F-Secure found nothing suspicious, hitman pro found 1 temp file that was suspicious - rebooting 1 server now to see if that was it or not - will post again shortly to let you know if we are fixed or not on that server ...

The Hitman Pro file was NOT the one causing the port connections ... I did notice something however on the reboot after running Hitman ... and confirmed this by rebooting another server with symptoms ... the ports that connect to the vip762.3322.org are different ones on each reboot for that machine .... so we're still stuck not knowing what this is or how to correct it and close these ports short of getting a firewall and closing down all outbound connections. Personally I'd rather find out what this is that is causing the ports to open in the first place ... BTW no Windows 2008 or 2000 servers have been affected, nor has any workstation OS either ... just the 2003 Servers, and not all of my 2003 servers either ....

Not to well up on these matters but run active ports and it should show you a remote ip to see where it going
http://majorgeeks.com/Active_Ports_d682.html

The ports are going to vip762.3322.org ... the 3322.org is Chinese owned by Yaako, Ltd. and the host resolves to someplace in the US ...

You could try scanning with malwarebytes and see if it picks up on anything
Malwarebytes http://www.malwarebytes.org/mbam-download.php

Host does resolve to Houston,Texas,US.

We tried malwarebytes and found nothing as well ...

Could you run autoruns (dont make any changes within autoruns)
Autoruns http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

Within Autoruns,select the file tab and select save(Ctrl+S)
Upload that file here.

Here is the autoruns file from 1 of the servers ...

hrm - it try again on the upload here ...

Sorry Tbk,
Forgot to mention to save it as "autoruns.arn" type which will be a few megs in size.
Once saved as autoruns.arn , rename it to upload :)

this one is txt as well, but rename it to .arn ....

Not much showing up there :(
Ill try and get other experts to review this for you. Hopefully they will have more of an insight fot it :)

thanks

Malleus -

As of right now there is nothing flowing thru those ports, no info, nothing, just sitting there and waiting ... i found the connections using a simple tool - netstat -a ..... and interestingly enough when I netstat -aon to find out which processes are running to which ports only the ports that are connected to the far ends LDAP ports show up and those show up as DNS.exe and w3wp.exe as the processes responsible for opening those ports, and they show as connected back to the loopback at 127.0.0.1 in the netstat -aon command .... so perhaps my blackholing the DNS in the first place is actually working and blocking them out from info being sent anywhere now, or any commands coming in - and my logs show from before I identified these ports that very little if any info at all ever flowed thru those ports to begin with ... I think I am looking at a new virus/malware (in fact pretty sure of it at this point -- and it looks like I've got it pretty well sandboxxed at the moment too) the servers do not contain any sensitive data at all they're mostly just gateway servers, and the real data servers behind those are not exhibiting the same problems - believe me if they do I will immediately pull them offline ... so for the moment I believe I'm fairly safe to keep playing with this to see where it leads ...

I will double check with TCPView and ProcessExplorer as well to be sure I am seeing the same things there as well ... thanks so far ...

running TCPView also showed that there were no real connections to the malware site ... only loopbacks to the server itself and it also showed what netstat -aon showed that the DNS and w3wp were the only 2 ports that actually corresponded to the ports that netstat -a showed as being connected to the malware site .... so this is confusing now ... like I said I am pretty sure i've found something latent and just waiting to go off at a future date ... since we have AVG contracted for the antivirus on these servers we're trying to get them to take a deeper look into these servers and see if they can find something as well ...

Anyone else have any ideas on things to check in order to find/figure out exactly what is happening?  These are small businesses that can not really afford to hire a forensics team to do this type of research as well ... hence why I am trolling for answers here ... thanks again for all the help that has been offered so far, and hopefully all the help to come!

checked and killbits are set properly

Ok so it looks like you are running IIS 6.0 on these servers and it is your webhosting cluster then?

I would still copy the dns.exe and the w3wp.exe and submit them to virustotal.com just to doublecheck yourself and be on the safe-side.

In addition to trying to figure out why these systems are connecting to known bad foreign malware sites, the question remains as to how they got exploited in the first place.  Is there a trust relationship in place between all of these servers? So if an attacker was to exploit one of them, could he then use the credentials from that server to access the rest?

Connections to this IP with little traffic indicate either a beacon scenario where it's just keeping tabs with the mothership letting it know it is still there or possibly a persistent reverse-shell where the attacker has constant access to cmd.exe with administrative privs.  Just because these are going out through DNS and LDAP ports, doesn't mean that this is what is actually travelling out via those ports, just that these may be the only ports that were open to communicate.

the w3wp.exe process is the IIS application pool process.  According to Microsoft, you should be able to narrow down which website is attached to that process via the following command.

---- copied from http://weblogs.asp.net/owscott/archive/2004/09/21/Which-w3wp.exe-process-belongs-to-which-App-Pool-in-IIS6.aspx

Microsoft has given us the exact tool for the situation.  IISApp.vbs lists all the applications, their PID and their App Pool name.
The script is already placed in systemroot\system32 on Windows Server 2003 so simply go to your Command Prompt and type in iisapp.vbs (the .vbs is optional) and you'll have an instant list of all the App Pool information you've always wanted to know.  You may need to type cscript iisapp.vbs instead if CScript isn't your default WSH script host.
Let's see an example of the output:
Here is an example of the output.
W3WP.exe PID: 1468   AppPoolId: AppPoolForSite1.com
W3WP.exe PID: 3056   AppPoolId: AppPooForSite2.com
W3WP.exe PID: 1316   AppPoolId: AppPooForSite3.com
Direct from the horse's mouth, Microsoft documents this:
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/cl_as_viewapps.asp
-----------

This might help narrow it down to which site might be compromised or potentially even hosting malware that is being served from a compromised site.

Give that a shot, and let us know.

the iisapp.vbs shows 2 app pools connected to w3wp.exe neither of which the PID matches the one from before - 1 is the DefaultAppPool and the other is the ExchangeAppPool ... NOTE HERE - not all of these boxes are running exchange, yes all of them do have IIS setup, but not all are accessible from the outside either NAT boxes are in place in front of all of these to allow only certain ports in, but some of these have no holes in as well, whereas some have full access to all the ports a 2003 SBS Server wants open - Remote Desktop, SMTP, FTP, etc ...

BTW both dns.exe and w3wp.exe cleared thru virustotal.com as clean

grc I ran awhile back - only the ports that I want open are actually showing open thru them - smtp, ftp, remote desktop, vpn, etc ... Netstat -a is actually how I came across this anomaly in the first place on these boxes ... again keep in mind, while I use NAT Routers (Linksys Routers) not all of them have the same ports open - at least 1 box has nothing port forwarded, 2 or 3 of them have all the ports that SBS 2003 suggests open, the rest are somewhere inbetween - from just SMTP and HTTP, etc ...

I had not checked for failed logins - will do that and see what that shows ... and will run HiJack this as well in the AM and will post all results here tomorrow AM ...

OK, at this point, I think we should get an idea of what ports and what is supposedly in contact with your server on those ports. If your NAT firewall isn't allowing traffic through those ports, you shouldn't have anything to worry about.  

The signifigance of a NAT router/firewall is your application ports as well as your entire PRIVATE IP space will be stealth from port scanners. The only way for your domain to be accessed is through your VPN tunnel, a trojan that allows communications between the two and provides the route as well as authority to communicate with it. If your passwords are strong passwords, I don't think you have anything at all to worry about. Kerberos authentication is certainly very strong, unlike LMhash and NTLMhash.  

Though things seem suspicious, you probably don't have anything to worry about.

So, let's start studying who, and what is really going on. I don't think you have malware on your DCs. So, you will probably not see to many failed logons.

netman66 - if a client were compromised how would that explain the w3wp server process. not saying they are mutually exclusive, just trying to understand. thanks.

An iterative query through DNS means the client will seek its own DNS query.

A recursive query for DNS means that the server will perform an iterative query on behalf of the client. Many people saw this as a potential IT security threat to enable recursive lookups and also DNS forwarders.

This is why it is important to determine what port we are looking at. The DNS server could be doing DNS queries on behalf of the client. But, forwarders and recursive lookups need to be enabled and configured.

Netman is right on the server performing DNS queries for the client.

Agreed concerning the w3wp process, that is a little puzzling if the server shows no signs of activity relating to this.

Would it be possible that a redirect to a client is at play via a compromised default page within IIS - thus leveraging the service on the server without actually triggering malicious traffic directly?

I'd be tempted to start a Network Monitor on the inside interface of the router to see if any traffic from inside is moving out to that Chinese site.  At least this may help trace the flow.

btw- i believe that this behavior is happening on multiple of TBK's clients' sites. If this is an invasion of sorts then the commonalities are:

the kaseya server at TBK's HQ and whatever flows through the Kaseya tunnel

the security setup be it firewalls, AVG, patching, etc that are determined by TBK's kaseya configuration
(which in all likelihood is nearly identical - to facilitate easier management (ours are at any rate)).

Possibly the ISP and DNS providers.

I will check a sampling of our managed systems.

I wonder if it would be a good idea to contact Kaseya and get an MD5 or SHA hash for the binaries you used to install on the servers so you can compare your download with them.  

It *might* be possible that you have a compromised binary if it was downloaded.  

Just looking at all angles....

checked my K server, another server at my site, a customer sbs (all 2003). no unusual connections (yet)

We still should know the port we are looking at.

If the server performs a query on behalf of the client, (a recursive query), It will only pass down the resolution to the client. In other words, the server will not act as a proxy between the client and the remote site.

So, after the recursive query was answered, traffic would stop. The client would then contact the site directly. This is why DNS is really not a heavy traffic protocol on the server.

If the port number is port 53, I would be willing to bet Netman was right on is original thought. It would most likely be a recursive query on behalf of a client machine. If that is the case, you can prevent access from that remote client using the NAT firewall. This would be firewall specific.

For Cisco, as an example, you could deny access to that site by putting the IP of the site on the access list deny all traffic of the remote site's IP.

the lines from netstat -aon are as follows --

TCP 127.0.0.1:14757 127.0.0.1:389 ESTABLISHED 1592=DNS.exe (by tasklist)
TCP 127.0.0.1:17390 127.0.0.1:10080 CLOSE_WAIT 3840=W3WP.exe (by tasklist)

and the lines from netstat -a are as follows --

TCP server:ldap vip762.3322.org:14757 ESTABLISHED
TCP server:ldap vip762.3322.org:17473 TIME_WAIT
TCP server:1055 vip762.3322.org:ldap CLOSE_WAIT
TCP server:1072 vip762.3322.org:ldap CLOSE_WAIT
TCP server:1116 vip762.3322.org:ldap CLOSE_WAIT
TCP server:1130 vip762.3322.org:ldap CLOSE_WAIT
TCP server:1216 vip762.3322.org:ldap CLOSE_WAIT

and 2 more lines a bit farther down are --

TCP server:14757 vip762.3322.org:ldap ESTABLISHED
TCP server:17390 vip762.3322.org:10080 CLOSE_WAIT


So this is NOT happening on Port 53 ...

Netman - not possible that it is on workstations as one location is just a server, no workstations at all ...

ChiefIT - yes all the servers are set to use recursive DNS and forwarders are set to OpenDNS DNS Servers ... the entire domain of 3322.org is blackholed/blocked from there ...

GandZ is right the commonalities between the affected units is only the connection to my K Server,  & the usage of OpenDNS for DNS Forwarding.  Other than that - different software, different dime store routers, different usage by the clients, etc.  Some servers are by themselves, some server webhosting, some do remote desktop, some do exchange email, etc ... However Kaseya has checked my KServer for abnormalities and cleared it and then closed my ticket on this issue from them - didn;t even let me get AVG involved for the KES/AVG Licenses thru them ....

BTW -- HJT didn't find anything out of the ordinary either ... this thing seems to be sandboxxed fairly well with the DNS blocked to the actual site ... but it's still strange to have this happening - I am getting permission to rebuild/reload one of the affected machines - I want to see if after it is rebuilt if the anomaly stops or if it restarts right away ... this will take some time tho, but if we haven't solved any other way before then I'll post the findings here ...

BTW - keep in mind the netstat commands above are from 1 machine, the only difference from unit to unit is the port numbers are different, but never on Port 53 or any other common port for that matter ...

TCP 127.0.0.1:14757 127.0.0.1:389 ESTABLISHED 1592=DNS.exe (by tasklist)

This first line is an LDAP query against itself. Port 389 is an LDAP query, and the DNS server pointed the way using a SRV DNS query. You are currently using the Loopback address to point the DNS server to istelf. It is recommended you use the actual IP address, instead of the loopback address.

TCP 127.0.0.1:17390 127.0.0.1:10080 CLOSE_WAIT 3840=W3WP.exe (by tasklist

According to portlist:

Port 10080 is Amanda as an application:
amanda          10080/tcp  Amanda
amanda          10080/udp  Amanda
#                          John Jackson <jrj&gandalf.cc.purdue.edu>
#                          <amanda-core&amanda.org>

Some information on Amanda:
http://www.auditmypc.com/port/tcp-port-10080.asp

***The weird symptoms you are seeing on your network are not attributed to a virus>

You should tell us what "weird things" you are seeing that led you to believe you may have a virus and what caused you to start troubleshooting in the first place.

the strange things were the netstat -a results showing the 3322.org address being the one contacted by several ports ... as I said the netstat -aon seems to show loopback addresses rather than the 3322.org address instead for the same ports ... why is that?

Is the loopback being used because OpenDNS is blocking the 3322.org address? If so, then as I said, whatever it is it is fairly well sandboxxed at the moment ...

Look under IPconfig /all

If your preferred DNS server list (primary &/or  secondary) is the loopback address, these DNS queries will go to that loopback address.

If the preferred DNS servers are your IP addresses of the server, the DNS query shouldn't be your loopback address. In this instance, you may have had someone intercept a DNS packet. Then, they changed a few things on the header. Then, they queried your server. This is known as a DNS DDoS attack. However, you probably have your DNS server set to answer queries it is authoritative for. If that's the case, your server will drop the packets if the DNS headers were changed to answer queries for yadah,yadah.yadah.org.