lunamoonfaze
asked on
Windows Task Manager User tab
Checked the user tab on task manager and see microsoft in the "User" column and disconnected in the "Status" column. Anyone know what's going on?
That tab shows you who is connected to the server via RDP/Terminal Services. Or in your case: who _was_ connected and has a Terminal Services session in a "Disconnected" state. Try and right-click on it to see if you can Remote Control the session and see what was going on.
ASKER
Dropped in and found nothing good. Files found on desktop: dm.exe, ku.mmp, firefox setup 2.0.0.14.exe, smtp.csv and last but certainly not least: gammadyne mailer.
Hmmm... Just guessing - you don't have a user in your domain or on the server that's named "Microsoft", do you? You may want to review user accounts and security on your server - it may have been hacked. Don't know if you have a structured server security compromise gameplan, but I would consider the server compromised and get it off the network as quickly as possible and start assessing the rest of your network to make sure they haven't done anything to the rest of your servers/clients. It's most likely they were just interested in getting/building a spambox for their purposes, but you never know... Good Luck with this...
dm.exe - Take a google on this, it's a known backdoor trojan
gammadyne mailer - possible whomever it was was trying to drop a mailer program on your server to make it a spam box.
dm.exe - Take a google on this, it's a known backdoor trojan
gammadyne mailer - possible whomever it was was trying to drop a mailer program on your server to make it a spam box.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
This a file server that is in use during regular business hours. My local LAN specialist is scheduled to come out next weekend. I will follow your checklist then. Thanks for the details.
ASKER
RootkitRevealer log:
HKLM\SECURITY\Policy\Secre ts\gthrsvc :{505DD11A -F6DE-4559 -8EA2-7B27 A5457A08}* 11/2/2006 2:07 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secre ts\SAC* 10/31/2006 4:00 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secre ts\SAI* 10/31/2006 4:00 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secre ts\SCM:{14 8f1a14-53f 3-4074-a57 3-e1ccd344 e1d0}* 10/31/2006 3:21 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secre ts\SCM:{3D 14228D-FBE 1-11D0-995 D-00C04FD9 19C1}* 11/2/2006 1:55 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\ActE mailFile\ 6/5/2007 5:13 PM 19 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Classes\ActE mailFile\D efaultIcon \ 6/5/2007 5:13 PM 39 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Classes\ActE mailFile\s hell\open\ 6/5/2007 5:13 PM 21 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Wi ndows\Curr entVersion \Reliabili ty\LastAli veUptime 6/28/2008 1:07 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Wi ndows\Curr entVersion \Reliabili ty\LastAli veStamp 6/28/2008 1:07 PM 16 bytes Data mismatch between Windows API and raw hive data.
C:\Program Files\Exchsrvr\Mailroot\vs i 1\Queue\NTFS_9ef0d2ac01c8d 9520000000 d.EML 6/28/2008 1:10 PM 4.39 KB Hidden from Windows API.
C:\Program Files\Exchsrvr\Mailroot\vs i 1\Queue\NTFS_9ef0d2ac01c8d 9520000000 d.EML:PROP ERTIES 6/28/2008 1:10 PM 2.02 KB Hidden from Windows API.
C:\Program Files\Exchsrvr\Mailroot\vs i 1\Queue\NTFS_9ef0d2ac01c8d 9520000000 d.EML:PROP ERTIES-LIV E 6/28/2008 1:10 PM 6.02 KB Hidden from Windows API.
rootkitrevealer-log.txt
HKLM\SECURITY\Policy\Secre
HKLM\SECURITY\Policy\Secre
HKLM\SECURITY\Policy\Secre
HKLM\SECURITY\Policy\Secre
HKLM\SECURITY\Policy\Secre
HKLM\SOFTWARE\Classes\ActE
HKLM\SOFTWARE\Classes\ActE
HKLM\SOFTWARE\Classes\ActE
HKLM\SOFTWARE\Microsoft\Wi
HKLM\SOFTWARE\Microsoft\Wi
C:\Program Files\Exchsrvr\Mailroot\vs
C:\Program Files\Exchsrvr\Mailroot\vs
C:\Program Files\Exchsrvr\Mailroot\vs
rootkitrevealer-log.txt
You definitely don't have a rootkit. Anything interesting shown by Autoruns?
ASKER
Thanks again. Your suggestions were exactly what I was looking for to know.