[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Microsoft Server 2003 Hacked AGAIN - Is being used for spamming - Hijackthis log file included

Posted on 2007-09-27
15
Medium Priority
?
3,005 Views
Last Modified: 2016-10-27
Hello,

Our windows 2003 server has been hacked AGAIN. We just went through this 2 mopnths ago. I have done 2 virus scans and cleaned what it could find and also disabled and deleted suspicions looking files.

However, we are still being flagged as "Spammers" on

http://www.spamhaus.org/query/bl?ip=69.90.73.30

so something is still not right. (it may not come up if you check the link as i am going to request a de-listing again.. but it will no doubt happen again until i figure out what is going on)

One questoion i have first is... SHOULD WE BLOCK PORT 25?

and if the answer is yes... how do we do that??

Here is our hijack this log..


Logfile of HijackThis v1.99.1
Scan saved at 10:53:55 PM, on 9/27/2007
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\3ware\3DM\3dmd.exe
C:\Program Files\AMCC\3DM2\3dm2.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CommVault Systems\Galaxy\Base\cvd.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\PROGRA~1\SWsoft\Plesk\MAILSE~1\MAILEN~1\BIN\MEHTTPS.EXE
C:\PROGRA~1\SWsoft\Plesk\MAILSE~1\MAILEN~1\Bin\MEIMAPS.exe
C:\PROGRA~1\SWsoft\Plesk\MAILSE~1\MAILEN~1\BIN\MELSC.EXE
C:\PROGRA~1\SWsoft\Plesk\MAILSE~1\MAILEN~1\BIN\MEMTA.EXE
C:\PROGRA~1\SWsoft\Plesk\MAILSE~1\MAILEN~1\BIN\MEPOC.EXE
C:\PROGRA~1\SWsoft\Plesk\MAILSE~1\MAILEN~1\BIN\MEPOPC.EXE
C:\PROGRA~1\SWsoft\Plesk\MAILSE~1\MAILEN~1\Bin\MERADMS.exe
C:\PROGRA~1\MICROS~1\MSSQL\binn\sqlservr.exe
C:\Program Files\SWsoft\Plesk\Databases\MySQL\bin\mysqld-nt.exe
C:\Program Files\SWsoft\Plesk\dns\bin\named.exe
C:\Program Files\nagios\Win_2k_XP_Bin\pNSClient.exe
C:\Program Files\SWsoft\Plesk\MySQL\bin\mysqld-nt.exe
C:\Program Files\SWsoft\Plesk\admin\bin\SpamAssassinService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SWsoft\Plesk\ADDITI~1\Perl\bin\perl.exe
C:\PROGRA~1\SWsoft\Plesk\ADDITI~1\Perl\bin\perl.exe
C:\Program Files\Microsoft SQL Server\MSSQL\binn\sqlagent.exe
C:\Program Files\SWsoft\Plesk\Additional\Tomcat\bin\tomcat5.exe
C:\Program Files\CommVault Systems\Galaxy\Base\evmgrc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\SWsoft\Plesk\admin\bin\plesksrv.exe
C:\Program Files\SWsoft\Plesk\admin\bin\psa-serv.exe
C:\Program Files\SWsoft\Plesk\admin\bin\PopPassD.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\SWsoft\Plesk\kav\kavsvc.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SWsoft\Plesk\Acronis\TrueImageEnterprise\TrueImageMonitor.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\SWsoft\Plesk\MAILSE~1\MAILEN~1\BIN\METray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\3ware\3DM\3dm.exe
C:\Program Files\SWsoft\Plesk\admin\bin\traymonitor.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\AMCC\3DM2\WinAVAlarm.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\downloaded files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.electricink.ca/home.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\SWsoft\Plesk\Acronis\TrueImageEnterprise\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [METray] C:\PROGRA~1\SWsoft\Plesk\MAILSE~1\MAILEN~1\BIN\METray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: 3DM.lnk = ?
O4 - Global Startup: Plesk Services Monitor.lnk = C:\Program Files\SWsoft\Plesk\admin\bin\traymonitor.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinAVAlarm Startup Item.lnk = C:\Program Files\AMCC\3DM2\WinAVAlarm.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147544667130
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1158013453546
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,4948/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D729357B-F14A-4E47-8F33-0315B253E217}: NameServer = 64.34.24.23,64.34.24.24
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O23 - Service: 3DM - Unknown owner - C:\Program Files\3ware\3DM\3dmd.exe
O23 - Service: AMCC 3DM2 (3DM2) - Unknown owner - C:\Program Files\AMCC\3DM2/3dm2.exe
O23 - Service: Acronis Remote Agent (AcronisAgent) - Acronis - C:\Program Files\Common Files\Acronis\Agent\agent.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ClipBook (ClipSrv) - Unknown owner - C:\WINDOWS\System32\clipsvr.exe (file missing)
O23 - Service: Directory Index Manager (DirIndex) - Unknown owner - C:\WINDOWS\$NtUninstallKB913029$\spuninst\_restore{DIWJDS7S-C329-3242-91EC-D2SD72C70D82}\com1\RP00\\TaskDaemon.exe
O23 - Service: Galaxy Communications Service (ControlSet001) (GxCVD(ControlSet001)) - Unknown owner - C:\Program Files\CommVault Systems\Galaxy\Base\cvd.exe" -vm ControlSet001 (file missing)
O23 - Service: Galaxy Client Event Manager (ControlSet001) (GxEvMgrC(ControlSet001)) - Unknown owner - C:\Program Files\CommVault Systems\Galaxy\Base\evmgrc.exe" -vm ControlSet001 (file missing)
O23 - Service: KasperskyTM Anti-Virus (kavsvc) - Unknown owner - C:\Program Files\SWsoft\Plesk\kav\kavsvc.exe
O23 - Service: MailEnable HTTPMail Service (MEHTTPS) - MailEnable Pty Ltd - C:\PROGRA~1\SWsoft\Plesk\MAILSE~1\MAILEN~1\BIN\MEHTTPS.EXE
O23 - Service: MailEnable IMAP Service (MEIMAPS) - MailEnable Pty Ltd - C:\PROGRA~1\SWsoft\Plesk\MAILSE~1\MAILEN~1\Bin\MEIMAPS.exe
O23 - Service: MailEnable List Connector (MELCS) - MailEnable Pty Ltd - C:\PROGRA~1\SWsoft\Plesk\MAILSE~1\MAILEN~1\BIN\MELSC.EXE
O23 - Service: MailEnable Mail Transfer Agent (MEMTAS) - MailEnable Pty Ltd - C:\PROGRA~1\SWsoft\Plesk\MAILSE~1\MAILEN~1\BIN\MEMTA.EXE
O23 - Service: MailEnable Postoffice Connector (MEPOCS) - MailEnable Pty Ltd - C:\PROGRA~1\SWsoft\Plesk\MAILSE~1\MAILEN~1\BIN\MEPOC.EXE
O23 - Service: MailEnable POP Connector (MEPOPCS) - MailEnable Pty Ltd - C:\PROGRA~1\SWsoft\Plesk\MAILSE~1\MAILEN~1\BIN\MEPOPC.EXE
O23 - Service: MailEnable POP Service (MEPOPS) - MailEnable Pty Ltd - C:\PROGRA~1\SWsoft\Plesk\MAILSE~1\MAILEN~1\BIN\MEPOPS.EXE
O23 - Service: MailEnable Management Service (MERADMS) - MailEnable Pty Ltd - C:\PROGRA~1\SWsoft\Plesk\MAILSE~1\MAILEN~1\Bin\MERADMS.exe
O23 - Service: MailEnable SMTP Connector (MESMTPCS) - MailEnable Pty Ltd - C:\PROGRA~1\SWsoft\Plesk\MAILSE~1\MAILEN~1\BIN\MESMTPC.EXE
O23 - Service: MySQL Server (MySQL) - Unknown owner - C:\Program Files\SWsoft\Plesk\Databases\MySQL\bin\mysqld-nt.exe" --defaults-file="C:\Program Files\SWsoft\Plesk\Databases\MySQL\Data\my.ini" MySQL (file missing)
O23 - Service: Plesk Name Server (named) - Unknown owner - C:\Program Files\SWsoft\Plesk\dns\bin\named.exe" -n1 (file missing)
O23 - Service: Network Security Protocol Service (NetSecManager) - Unknown owner - C:\WINDOWS\$NtUninstallKB913029$\spuninst\_restore{DIWJDS7S-C329-3242-91EC-D2SD72C70D82}\com1\rp00\NetSec.exe (file missing)
O23 - Service: Nagios Agent (NSClient) - ClearCentral Software Inc - C:\Program Files\nagios\Win_2k_XP_Bin\pNSClient.exe
O23 - Service: PleskControlPanel - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Plesk Miscellaneous Service (pleskmiscsrv) - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\bin\psa-serv.exe
O23 - Service: Plesk SQL Server (PleskSQLServer) - Unknown owner - C:\Program Files\SWsoft\Plesk\MySQL\bin\mysqld-nt.exe" --defaults-file="C:\Program Files\SWsoft\Plesk\MySQL\Data\my.ini" PleskSQLServer (file missing)
O23 - Service: Plesk Management Service (plesksrv) - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\bin\plesksrv.exe" -run (file missing)
O23 - Service: Plesk PopPass Service (PopPassD) - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\bin\PopPassD.exe" -run (file missing)
O23 - Service: Profile Manager (ProfileMgr) - Unknown owner - C:\WINDOWS\$NtUninstallKB913029$\spuninst\_restore{DIWJDS7S-C329-3242-91EC-D2SD72C70D82}\com1\RP00\\TaskDaemon.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SWsoft SiteBuilder (SiteBuilder) - Unknown owner - C:\Program Files\SWsoft\Plesk\WinSiteBuilder\docroot\sitebuilder.exe" -x (file missing)
O23 - Service: Plesk SpamAssassin Service (SpamAssassinService) -   - C:\Program Files\SWsoft\Plesk\admin\bin\SpamAssassinService.exe
O23 - Service: Plesk SSL Wrapper Service (stunnel) - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\bin\stunnel.exe" -service (file missing)
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Program Files\SWsoft\Plesk\Additional\Tomcat\bin\tomcat5.exe" //RS//Tomcat5 (file missing)



Thanks

Kirk


0
Comment
Question by:electricink
  • 7
  • 3
  • 2
  • +2
15 Comments
 
LVL 3

Expert Comment

by:NoodlesWIU
ID: 19976250
You should be blocking port 25 from every machine but your mail server.  There is generally no real need for other machines to send out SMTP traffic independantly than through your mail server.  so block port 25 outbound for all clients except your mail server.
0
 
LVL 3

Expert Comment

by:NoodlesWIU
ID: 19976256
You can try and get delisted, but the easier solution is change the IP address your mail server is sending out on.  If you have a pool of IP's I would highly recommend this, as trying to get off blacklists are a pain!  What type of firewall are you using?
0
 
LVL 9

Expert Comment

by:QBRad
ID: 19976262
If you block port 25 this will block mail in the direction you block and therefore will not be able to send and or recieve.  is that what you want?  most likely not if you host your mail.
0
 
LVL 9

Expert Comment

by:QBRad
ID: 19976267
sorry noodles answered a little late.  
0
 
LVL 3

Expert Comment

by:NoodlesWIU
ID: 19976268
If you do that, make sure to change your DNS to the corected IP address, and also contact your service provider to ask them to update your PTR record.

0
 
LVL 8

Expert Comment

by:static-void
ID: 19976293
you will also need your domain MX record updated if you do this....
0
 
LVL 3

Expert Comment

by:NoodlesWIU
ID: 19978067
Thought I added that in my comment, but I guess I forgot to, thank you static.  The MX record as he stated will also need to be updated.
0
 
LVL 18

Expert Comment

by:Johnjces
ID: 19993168
I am curious. What piece of MalWare got into your server to send out these spams?

John
0
 

Author Comment

by:electricink
ID: 19993332
We STILL do not know... we are continuing to batle this problem :(
0
 
LVL 18

Expert Comment

by:Johnjces
ID: 19993409
Have you run microsoft's malicious software removal tool, mrt.exe?

And download and see what all is running using MS process Explorer

http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx

and...

see if you have been hacked via a rootkit, download and install

http://www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx

Just a couple of thoughts if you haven't tried them

John
0
 
LVL 3

Expert Comment

by:NoodlesWIU
ID: 19996175
The malware didn't neccesarily have to have been on the server.  Any client attached to the network can become infected and send out unsolicited SMTP traffic, without going through the server.  Were you previously blocking port 25 outbound for all traffic other than your mail server on your firewall, or did you have port 25 outbound open for any client to send out on?
0
 

Author Comment

by:electricink
ID: 19996247
We still have port 25 open.

I would welcome instruction on how to close it, but still allow email from domains hosted on our server? If that is possible?
0
 
LVL 3

Expert Comment

by:NoodlesWIU
ID: 19999457
What type of firewall are you using, an ISA server, a PIX, etc?  We can help show you how to tighten the firewall up so to dissallow OUTBOUND SMTP traffic from all nodes on your network except your lagitamte mail server(s).

IE) a workstation generally should not be sending SMTP traffic out to the world, thats the responsibility of the mail server.  Clients such as Outlook will communicate directly with the mail server, and the server sends/receives SMTP mail to and from the outside world.  

If a workstation is sending SMTP traffic directly to the Internet without going through your mail server.  It is a good probablitility that the machine is compromised and sending out unsolicited SPAM.

0
 
LVL 3

Accepted Solution

by:
NoodlesWIU earned 2000 total points
ID: 19999552
If you dont block SMTP traffic outbound for simple nodes, no matter how many Blacklists or RBL's you try and get yourself taken off of, or how many times you change your mail server's external IP, your going to be right back on those lists, because the potential of an infected node is still out there tarnishing your WAN IP as a SPAMMER.  By blocking this port you can resolve the issue quickly.

after doing that, change your WAN IP for your mail server and update the appropriate A, MX, and PTR records as mentioned earlier.  After you do this, your problem of being tagged as a SPAMMER will stop, but you will then have to go and thuroughly inspect your workstations and do virus/malware scans.

This is why I dont allow personal laptops to attach to our network.  Any joe shmo can hook up to the network, be infected and send out this type of SPAM, and never even know it!  But by blocking SMTP outbound, your insuring, that this type of traffic wont get out, and potentially flag your WAN IP as SPAM
0
 

Author Comment

by:electricink
ID: 20069427
We are using Windows Firewall
0
Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever wonder what it's like to get hit by ransomware? "Tom" gives you all the dirty details first-hand – and conveys the hard lessons his company learned in the aftermath.
Check out what's been happening in the Experts Exchange community.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question