Solved

Windows Task Manager User tab

Posted on 2008-06-12
8
855 Views
Last Modified: 2013-12-04
Checked the user tab on task manager and see microsoft in the "User" column and disconnected in the "Status" column. Anyone know what's going on?
0
Comment
Question by:lunamoonfaze
  • 4
  • 2
  • 2
8 Comments
 
LVL 13

Expert Comment

by:ScooterAnderson
ID: 21773891
That tab shows you who is connected to the server via RDP/Terminal Services.  Or in your case: who _was_ connected and has a Terminal Services session in a "Disconnected" state.  Try and right-click on it to see if you can Remote Control the session and see what was going on.
0
 

Author Comment

by:lunamoonfaze
ID: 21775255
Dropped in and found nothing good. Files found on desktop: dm.exe, ku.mmp, firefox setup 2.0.0.14.exe, smtp.csv and last but certainly not least: gammadyne mailer.
0
 
LVL 13

Expert Comment

by:ScooterAnderson
ID: 21778681
Hmmm... Just guessing - you don't have a user in your domain or on the server that's named "Microsoft", do you?  You may want to review user accounts and security on your server - it may have been hacked.  Don't know if you have a structured server security compromise gameplan, but I would consider the server compromised and get it off the network as quickly as possible and start assessing the rest of your network to make sure they haven't done anything to the rest of your servers/clients.  It's most likely they were just interested in getting/building a spambox for their purposes, but you never know...  Good Luck with this...

dm.exe    - Take a google on this, it's a known backdoor trojan
gammadyne mailer - possible whomever it was was trying to drop a mailer program on your server to make it a spam box.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 32

Accepted Solution

by:
r-k earned 125 total points
ID: 21779862
Looks like server was hacked. Here is my checklist for times like these:

(1) Examine all user accounts, disable or delete any accounts known to be fraudulent, then change passwords on all admin accounts, using at least 10 chars and avoid common names and words.

(2) Enable lockout policy on failed logins (so that an account is locked out for 10 mins. after e.g. 6 failed attempts). Note: The Administrator account cannot be locked out so make sure that has a tough and long password.

(3) Download RootkitRevealer (http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx) and do a scan. Post the log here if it shows anything suspect. If the log is very long then just post the first 30 lines or so. Be sure to save the log in any case.

(4) Download Autoruns from: http://www.microsoft.com/technet/sysinternals/utilities/Autoruns.mspx
(a) Run the program. It lists a bunch of things that start when Windows starts.
(b) From the menu bar, select Options, and uncheck "Include Empty Locations" and "check" "Hide Microsoft Entries"
    Important -> Then click the Refresh button in the toolbar.
(c) This will give you a shorter, more meaningful list.
(d) Post the log here if anything interesting.

(5) Run "netstat -ab" from a command prompt, save the output to a text file (e.g. "netstat -ab > list.txt") then examine for anything that doesn't belong. If you like you can post the suspect entries here. Replace your ip with xx.xx if needed.

(6) If you identify any files installed by the hacker, search the rest of your C: drive for any other files created/modified around that date and time. Also, rather than deleting files left behind by the hackers, move them to another disk or CD for possible later study.

(7) After things have been cleaned up, download and run MBSA from: http://www.microsoft.com/technet/security/tools/mbsahome.mspx and do a scan and follow as many steps as reasonable.

(8) Turn off unnecessary network services.

(9) If you have a firewall, check which ports are open, and why.
0
 

Author Comment

by:lunamoonfaze
ID: 21835218
This a file server that is in use during regular business hours. My local LAN specialist is scheduled to come out next weekend. I will follow your checklist then. Thanks for the details.
0
 

Author Comment

by:lunamoonfaze
ID: 21912731
RootkitRevealer log:

HKLM\SECURITY\Policy\Secrets\gthrsvc:{505DD11A-F6DE-4559-8EA2-7B27A5457A08}*      11/2/2006 2:07 PM      0 bytes      Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAC*      10/31/2006 4:00 PM      0 bytes      Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI*      10/31/2006 4:00 PM      0 bytes      Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{148f1a14-53f3-4074-a573-e1ccd344e1d0}*      10/31/2006 3:21 PM      0 bytes      Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{3D14228D-FBE1-11D0-995D-00C04FD919C1}*      11/2/2006 1:55 PM      0 bytes      Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\ActEmailFile\      6/5/2007 5:13 PM      19 bytes      Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Classes\ActEmailFile\DefaultIcon\      6/5/2007 5:13 PM      39 bytes      Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Classes\ActEmailFile\shell\open\      6/5/2007 5:13 PM      21 bytes      Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability\LastAliveUptime      6/28/2008 1:07 PM      4 bytes      Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability\LastAliveStamp      6/28/2008 1:07 PM      16 bytes      Data mismatch between Windows API and raw hive data.
C:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_9ef0d2ac01c8d9520000000d.EML      6/28/2008 1:10 PM      4.39 KB      Hidden from Windows API.
C:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_9ef0d2ac01c8d9520000000d.EML:PROPERTIES      6/28/2008 1:10 PM      2.02 KB      Hidden from Windows API.
C:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_9ef0d2ac01c8d9520000000d.EML:PROPERTIES-LIVE      6/28/2008 1:10 PM      6.02 KB      Hidden from Windows API.

rootkitrevealer-log.txt
0
 
LVL 32

Expert Comment

by:r-k
ID: 21913373
You definitely don't have a rootkit. Anything interesting shown by Autoruns?
0
 

Author Closing Comment

by:lunamoonfaze
ID: 31466730
Thanks again. Your suggestions were exactly what I was looking for to know.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question