• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3198
  • Last Modified:

Microsoft Server 2003 Hacked AGAIN - Is being used for spamming - Hijackthis log file included

Hello,

Our windows 2003 server has been hacked AGAIN. We just went through this 2 mopnths ago. I have done 2 virus scans and cleaned what it could find and also disabled and deleted suspicions looking files.

However, we are still being flagged as "Spammers" on

http://www.spamhaus.org/query/bl?ip=69.90.73.30

so something is still not right. (it may not come up if you check the link as i am going to request a de-listing again.. but it will no doubt happen again until i figure out what is going on)

One questoion i have first is... SHOULD WE BLOCK PORT 25?

and if the answer is yes... how do we do that??

Here is our hijack this log..


Logfile of HijackThis v1.99.1
Scan saved at 10:53:55 PM, on 9/27/2007
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\3ware\3DM\3dmd.exe
C:\Program Files\AMCC\3DM2\3dm2.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CommVault Systems\Galaxy\Base\cvd.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\PROGRA~1\SWsoft\Plesk\MAILSE~1\MAILEN~1\BIN\MEHTTPS.EXE
C:\PROGRA~1\SWsoft\Plesk\MAILSE~1\MAILEN~1\Bin\MEIMAPS.exe
C:\PROGRA~1\SWsoft\Plesk\MAILSE~1\MAILEN~1\BIN\MELSC.EXE
C:\PROGRA~1\SWsoft\Plesk\MAILSE~1\MAILEN~1\BIN\MEMTA.EXE
C:\PROGRA~1\SWsoft\Plesk\MAILSE~1\MAILEN~1\BIN\MEPOC.EXE
C:\PROGRA~1\SWsoft\Plesk\MAILSE~1\MAILEN~1\BIN\MEPOPC.EXE
C:\PROGRA~1\SWsoft\Plesk\MAILSE~1\MAILEN~1\Bin\MERADMS.exe
C:\PROGRA~1\MICROS~1\MSSQL\binn\sqlservr.exe
C:\Program Files\SWsoft\Plesk\Databases\MySQL\bin\mysqld-nt.exe
C:\Program Files\SWsoft\Plesk\dns\bin\named.exe
C:\Program Files\nagios\Win_2k_XP_Bin\pNSClient.exe
C:\Program Files\SWsoft\Plesk\MySQL\bin\mysqld-nt.exe
C:\Program Files\SWsoft\Plesk\admin\bin\SpamAssassinService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SWsoft\Plesk\ADDITI~1\Perl\bin\perl.exe
C:\PROGRA~1\SWsoft\Plesk\ADDITI~1\Perl\bin\perl.exe
C:\Program Files\Microsoft SQL Server\MSSQL\binn\sqlagent.exe
C:\Program Files\SWsoft\Plesk\Additional\Tomcat\bin\tomcat5.exe
C:\Program Files\CommVault Systems\Galaxy\Base\evmgrc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\SWsoft\Plesk\admin\bin\plesksrv.exe
C:\Program Files\SWsoft\Plesk\admin\bin\psa-serv.exe
C:\Program Files\SWsoft\Plesk\admin\bin\PopPassD.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\SWsoft\Plesk\kav\kavsvc.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SWsoft\Plesk\Acronis\TrueImageEnterprise\TrueImageMonitor.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\SWsoft\Plesk\MAILSE~1\MAILEN~1\BIN\METray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\3ware\3DM\3dm.exe
C:\Program Files\SWsoft\Plesk\admin\bin\traymonitor.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\AMCC\3DM2\WinAVAlarm.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\downloaded files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.electricink.ca/home.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\SWsoft\Plesk\Acronis\TrueImageEnterprise\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [METray] C:\PROGRA~1\SWsoft\Plesk\MAILSE~1\MAILEN~1\BIN\METray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: 3DM.lnk = ?
O4 - Global Startup: Plesk Services Monitor.lnk = C:\Program Files\SWsoft\Plesk\admin\bin\traymonitor.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinAVAlarm Startup Item.lnk = C:\Program Files\AMCC\3DM2\WinAVAlarm.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147544667130
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1158013453546
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,4948/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D729357B-F14A-4E47-8F33-0315B253E217}: NameServer = 64.34.24.23,64.34.24.24
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O23 - Service: 3DM - Unknown owner - C:\Program Files\3ware\3DM\3dmd.exe
O23 - Service: AMCC 3DM2 (3DM2) - Unknown owner - C:\Program Files\AMCC\3DM2/3dm2.exe
O23 - Service: Acronis Remote Agent (AcronisAgent) - Acronis - C:\Program Files\Common Files\Acronis\Agent\agent.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ClipBook (ClipSrv) - Unknown owner - C:\WINDOWS\System32\clipsvr.exe (file missing)
O23 - Service: Directory Index Manager (DirIndex) - Unknown owner - C:\WINDOWS\$NtUninstallKB913029$\spuninst\_restore{DIWJDS7S-C329-3242-91EC-D2SD72C70D82}\com1\RP00\\TaskDaemon.exe
O23 - Service: Galaxy Communications Service (ControlSet001) (GxCVD(ControlSet001)) - Unknown owner - C:\Program Files\CommVault Systems\Galaxy\Base\cvd.exe" -vm ControlSet001 (file missing)
O23 - Service: Galaxy Client Event Manager (ControlSet001) (GxEvMgrC(ControlSet001)) - Unknown owner - C:\Program Files\CommVault Systems\Galaxy\Base\evmgrc.exe" -vm ControlSet001 (file missing)
O23 - Service: KasperskyTM Anti-Virus (kavsvc) - Unknown owner - C:\Program Files\SWsoft\Plesk\kav\kavsvc.exe
O23 - Service: MailEnable HTTPMail Service (MEHTTPS) - MailEnable Pty Ltd - C:\PROGRA~1\SWsoft\Plesk\MAILSE~1\MAILEN~1\BIN\MEHTTPS.EXE
O23 - Service: MailEnable IMAP Service (MEIMAPS) - MailEnable Pty Ltd - C:\PROGRA~1\SWsoft\Plesk\MAILSE~1\MAILEN~1\Bin\MEIMAPS.exe
O23 - Service: MailEnable List Connector (MELCS) - MailEnable Pty Ltd - C:\PROGRA~1\SWsoft\Plesk\MAILSE~1\MAILEN~1\BIN\MELSC.EXE
O23 - Service: MailEnable Mail Transfer Agent (MEMTAS) - MailEnable Pty Ltd - C:\PROGRA~1\SWsoft\Plesk\MAILSE~1\MAILEN~1\BIN\MEMTA.EXE
O23 - Service: MailEnable Postoffice Connector (MEPOCS) - MailEnable Pty Ltd - C:\PROGRA~1\SWsoft\Plesk\MAILSE~1\MAILEN~1\BIN\MEPOC.EXE
O23 - Service: MailEnable POP Connector (MEPOPCS) - MailEnable Pty Ltd - C:\PROGRA~1\SWsoft\Plesk\MAILSE~1\MAILEN~1\BIN\MEPOPC.EXE
O23 - Service: MailEnable POP Service (MEPOPS) - MailEnable Pty Ltd - C:\PROGRA~1\SWsoft\Plesk\MAILSE~1\MAILEN~1\BIN\MEPOPS.EXE
O23 - Service: MailEnable Management Service (MERADMS) - MailEnable Pty Ltd - C:\PROGRA~1\SWsoft\Plesk\MAILSE~1\MAILEN~1\Bin\MERADMS.exe
O23 - Service: MailEnable SMTP Connector (MESMTPCS) - MailEnable Pty Ltd - C:\PROGRA~1\SWsoft\Plesk\MAILSE~1\MAILEN~1\BIN\MESMTPC.EXE
O23 - Service: MySQL Server (MySQL) - Unknown owner - C:\Program Files\SWsoft\Plesk\Databases\MySQL\bin\mysqld-nt.exe" --defaults-file="C:\Program Files\SWsoft\Plesk\Databases\MySQL\Data\my.ini" MySQL (file missing)
O23 - Service: Plesk Name Server (named) - Unknown owner - C:\Program Files\SWsoft\Plesk\dns\bin\named.exe" -n1 (file missing)
O23 - Service: Network Security Protocol Service (NetSecManager) - Unknown owner - C:\WINDOWS\$NtUninstallKB913029$\spuninst\_restore{DIWJDS7S-C329-3242-91EC-D2SD72C70D82}\com1\rp00\NetSec.exe (file missing)
O23 - Service: Nagios Agent (NSClient) - ClearCentral Software Inc - C:\Program Files\nagios\Win_2k_XP_Bin\pNSClient.exe
O23 - Service: PleskControlPanel - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Plesk Miscellaneous Service (pleskmiscsrv) - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\bin\psa-serv.exe
O23 - Service: Plesk SQL Server (PleskSQLServer) - Unknown owner - C:\Program Files\SWsoft\Plesk\MySQL\bin\mysqld-nt.exe" --defaults-file="C:\Program Files\SWsoft\Plesk\MySQL\Data\my.ini" PleskSQLServer (file missing)
O23 - Service: Plesk Management Service (plesksrv) - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\bin\plesksrv.exe" -run (file missing)
O23 - Service: Plesk PopPass Service (PopPassD) - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\bin\PopPassD.exe" -run (file missing)
O23 - Service: Profile Manager (ProfileMgr) - Unknown owner - C:\WINDOWS\$NtUninstallKB913029$\spuninst\_restore{DIWJDS7S-C329-3242-91EC-D2SD72C70D82}\com1\RP00\\TaskDaemon.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SWsoft SiteBuilder (SiteBuilder) - Unknown owner - C:\Program Files\SWsoft\Plesk\WinSiteBuilder\docroot\sitebuilder.exe" -x (file missing)
O23 - Service: Plesk SpamAssassin Service (SpamAssassinService) -   - C:\Program Files\SWsoft\Plesk\admin\bin\SpamAssassinService.exe
O23 - Service: Plesk SSL Wrapper Service (stunnel) - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\bin\stunnel.exe" -service (file missing)
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Program Files\SWsoft\Plesk\Additional\Tomcat\bin\tomcat5.exe" //RS//Tomcat5 (file missing)



Thanks

Kirk


0
electricink
Asked:
electricink
  • 7
  • 3
  • 2
  • +2
1 Solution
 
NoodlesWIUCommented:
You should be blocking port 25 from every machine but your mail server.  There is generally no real need for other machines to send out SMTP traffic independantly than through your mail server.  so block port 25 outbound for all clients except your mail server.
0
 
NoodlesWIUCommented:
You can try and get delisted, but the easier solution is change the IP address your mail server is sending out on.  If you have a pool of IP's I would highly recommend this, as trying to get off blacklists are a pain!  What type of firewall are you using?
0
 
QBRadCommented:
If you block port 25 this will block mail in the direction you block and therefore will not be able to send and or recieve.  is that what you want?  most likely not if you host your mail.
0
 
QBRadCommented:
sorry noodles answered a little late.  
0
 
NoodlesWIUCommented:
If you do that, make sure to change your DNS to the corected IP address, and also contact your service provider to ask them to update your PTR record.

0
 
static-voidCommented:
you will also need your domain MX record updated if you do this....
0
 
NoodlesWIUCommented:
Thought I added that in my comment, but I guess I forgot to, thank you static.  The MX record as he stated will also need to be updated.
0
 
JohnjcesCommented:
I am curious. What piece of MalWare got into your server to send out these spams?

John
0
 
electricinkAuthor Commented:
We STILL do not know... we are continuing to batle this problem :(
0
 
JohnjcesCommented:
Have you run microsoft's malicious software removal tool, mrt.exe?

And download and see what all is running using MS process Explorer

http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx

and...

see if you have been hacked via a rootkit, download and install

http://www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx

Just a couple of thoughts if you haven't tried them

John
0
 
NoodlesWIUCommented:
The malware didn't neccesarily have to have been on the server.  Any client attached to the network can become infected and send out unsolicited SMTP traffic, without going through the server.  Were you previously blocking port 25 outbound for all traffic other than your mail server on your firewall, or did you have port 25 outbound open for any client to send out on?
0
 
electricinkAuthor Commented:
We still have port 25 open.

I would welcome instruction on how to close it, but still allow email from domains hosted on our server? If that is possible?
0
 
NoodlesWIUCommented:
What type of firewall are you using, an ISA server, a PIX, etc?  We can help show you how to tighten the firewall up so to dissallow OUTBOUND SMTP traffic from all nodes on your network except your lagitamte mail server(s).

IE) a workstation generally should not be sending SMTP traffic out to the world, thats the responsibility of the mail server.  Clients such as Outlook will communicate directly with the mail server, and the server sends/receives SMTP mail to and from the outside world.  

If a workstation is sending SMTP traffic directly to the Internet without going through your mail server.  It is a good probablitility that the machine is compromised and sending out unsolicited SPAM.

0
 
NoodlesWIUCommented:
If you dont block SMTP traffic outbound for simple nodes, no matter how many Blacklists or RBL's you try and get yourself taken off of, or how many times you change your mail server's external IP, your going to be right back on those lists, because the potential of an infected node is still out there tarnishing your WAN IP as a SPAMMER.  By blocking this port you can resolve the issue quickly.

after doing that, change your WAN IP for your mail server and update the appropriate A, MX, and PTR records as mentioned earlier.  After you do this, your problem of being tagged as a SPAMMER will stop, but you will then have to go and thuroughly inspect your workstations and do virus/malware scans.

This is why I dont allow personal laptops to attach to our network.  Any joe shmo can hook up to the network, be infected and send out this type of SPAM, and never even know it!  But by blocking SMTP outbound, your insuring, that this type of traffic wont get out, and potentially flag your WAN IP as SPAM
0
 
electricinkAuthor Commented:
We are using Windows Firewall
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

  • 7
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now