Solved

Computer trying to create remote file share every day around 2:30AM.  How can I find the program trying to do this?

Posted on 2008-06-20
30
397 Views
Last Modified: 2013-12-04
I have a machine apparently trying to create a remote file share to an address on the Internet.  The web address is a legitimate site (a local school district).  We caught this on our perimeter FW as we block all outbound NETBIOS/TCP and port 445 connections.  We have since blocked all traffic to the IP address using our interior firewall.  Any suggestions of what could be trying to make the connections?  How do I locate the offending program?

We run a managed Symantec Corp. Ed. vscan, and the machine shows as clean.  The machine is also attached to a domain, and is assigned restricted user rights (cannot install programs).  

I ran X-NETSTAT on the machine to see if I could locate the process initiating the connections.  Here are the relevant log entries:

[2:36:03 AM] New   : www.sjsd.k12.mo.us            <3852/139>   (Syn sent)    [System]
[2:36:23 AM] New   : www.sjsd.k12.mo.us            <3853/80>    (Syn sent)    [svchost.exe]
[2:36:48 AM] New   : www.sjsd.k12.mo.us            <3854/445>   (Syn sent)    [System]
[2:36:53 AM] New   : www.sjsd.k12.mo.us            <3855/139>   (Syn sent)    [System]
[2:38:14 AM] New   : www.sjsd.k12.mo.us            <3867/445>   (Syn sent)    [System]
[2:38:19 AM] New   : www.sjsd.k12.mo.us            <3868/139>   (Syn sent)    [System]
[2:38:39 AM] New   : www.sjsd.k12.mo.us            <3871/80>    (Syn sent)    [svchost.exe]
[2:39:04 AM] New   : www.sjsd.k12.mo.us            <3872/445>   (Syn sent)    [System]
[2:39:09 AM] New   : www.sjsd.k12.mo.us            <3873/139>   (Syn sent)    [System]

I also ran a windows utility (wmic.exe) to see which processes/tasks where calling svchost.  The files are attached.

There was a share created in Network Neighborhood, which has been removed, and all references to the URL and IP address in the registry have been removed.


ProcessList.txt
taskList.txt
0
Comment
Question by:ifbmaysville
  • 16
  • 9
  • 5
30 Comments
 
LVL 32

Expert Comment

by:r-k
ID: 21832887
I'll review the Process and Tasklists in a few minutes, but it would help if you can attach a HijackThis log from the offending computer.

Download HijackThis from http://www.hijackthis.de/
(use the "direct download" link in the upper-right corner)
Unzip to any folder on your hard drive (other than the desktop)
Run the program by double-clicking on the HijackThis.exe file.
Click on "Do a System Scan.."
Copy-and-paste the resulting log here.

Thanks.
0
 

Author Comment

by:ifbmaysville
ID: 21833245
Here is the HijackThis log.  I have redacted entries that contained local domain and user information.

Thanks!

JS
hijackthis.log
0
 
LVL 32

Assisted Solution

by:r-k
r-k earned 100 total points
ID: 21833303
The HJT log is clean (you can check yourself by posting it back to http://www.hijackthis.de/ if you like).

The task and process lists you posted earlier also seem normal.

Is it possible you're looking at the wrong machine, i.e. some other machine may be the culprit?

If you're sure that you have the right machine, then we should consider a rootkit. Try RootkitRevealer on that machine:

Download and run RootkitRevealer from: http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx
and click on "Scan" to scan your drives.
It takes a while, so be patient.
Try not to use the system too much during that time to avoid false positives.
If it produces anything interesting, use "File -> Save As.." to save the
results to a text file (Important -> you may need that file later)
Copy-and-paste the results here, but if the results are very long, then just copy-and-paste the
first 30 lines or so.
0
 

Author Comment

by:ifbmaysville
ID: 21833722
It's definitely the correct machine.  The MAC address in the FW log matches the MAC address of the Ethernet adapter on the machine in question.

I'll try out the rootkit detection utility.  Will have to wait until this evening.

Thanks!

JS
0
 
LVL 7

Accepted Solution

by:
Dauhee earned 400 total points
ID: 21837691
you can use sysinternals procmon.exe - just start the monitoring tool just before the mapping is to take place and then press the capture button to stop further checking after the attempt has been made - that will give you the process, registry and file interrogations etc
0
 

Author Comment

by:ifbmaysville
ID: 21838101
I ran both Sysinternals rootkitrevealer and Sophos Anti-Rootkit.  Niether had anything of interest:
________
rootkitrevealer:

HKLM\SECURITY\Policy\Secrets\SAC*      8/12/2004 12:36 AM      0 bytes      Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI*      8/12/2004 12:36 AM      0 bytes      Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed      6/21/2008 8:30 AM      80 bytes      Data mismatch between Windows API and raw hive data.
C:\WINDOWS\Temp\TMP0000052890532BBD70A32496      6/21/2008 8:38 AM      512.00 KB      Hidden from Windows API.
_________________________
Sophos:

Area:      Windows registry
Description:      Hidden registry key
Location:      \HKEY_USERS\S-1-5-21-1409082233-1592454029-682003330-1113\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.local:8080/weblogpub/information_technology_1171065380/attach?type=direct&act=binfile&prm=s%2Ba1tdq8tLPksLDg5trh6ubatdrkvea1tLK04w%3D%3D
Removable:      No
Notes:      (no more detail available)

Area:      Windows registry
Description:      Hidden registry key
Location:      \HKEY_USERS\S-1-5-21-1409082233-1592454029-682003330-1113\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.local:8080/weblogpub/information_technology_1171065380/attach?type=direct&act=binfile&prm=tLy9tbXatrewtrLnvLPa4erm2rXa4ba05L20t70%3D
Removable:      No
Notes:      (no more detail available)
(these appear to be an entries related to our internal blog server)
_______________________

Thanks for procman.exe idea -- I'll try to run that tonight.

JS

0
 
LVL 7

Assisted Solution

by:Dauhee
Dauhee earned 400 total points
ID: 21838156
oh just thought you could try "openfiles" also - if there is a process that you suspect from procmon.exe (could even be a native windows one), you might see some unusual file activity - often when a system has been compromised, data is recorded somewhere on the filesystem - openfiles may point you to where that is (if it is a malicous threat)
0
 
LVL 32

Assisted Solution

by:r-k
r-k earned 100 total points
ID: 21838195
Try Autoruns also:

(1) Download Autoruns from: http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
(2) Run the program. It lists a bunch of things that start when Windows starts.
(3) From the menu bar, select Options, and uncheck "Include Empty Locations" and "check" "Hide Microsoft Entries"
    Important -> Then click the Refresh button in the toolbar.
(4) This will give you a shorter, more meaningful list.
(5) Post it here.

Thanks.

0
 

Author Comment

by:ifbmaysville
ID: 21838568
I've already been through all the startup info using msconfig and spybot s&d.  However, I'll run the utility to see how it works.  Might be a better alternative to msconfig.  I'll post the results.

FYI, I converted the URL and IP address to hex strings, and did a registry search for the values, just to see if it was being hidden that way.  May do a full file search as well.

Thanks!

JS
0
 
LVL 32

Expert Comment

by:r-k
ID: 21839507
Thanks for the update. Autoruns is much more complete than msconfig, spybot, or HJT. I am hoping something will show there, perhaps in the scheduled tasks section (you did check that already, I hope).
0
 
LVL 32

Expert Comment

by:r-k
ID: 21839510
As an option, if possible, you can install the free version of ZoneAlarm on that PC. By default it blocks outgoing connections and let's you know with a warning as well as saves a log. May pin it down further.
0
 

Author Comment

by:ifbmaysville
ID: 21850920
I ran the autoruns utility today.  I did not suspect a "scheduled" event, as it does not happen at the same time every AM.  It is within the time frame of 2:30 and 3:30 AM, but the exact time of starting/ending is always different.  
Find attached the autruns file.
Have not run procmon yet:  looking for a way to automate.
The X-Netstat program I ran basically did what Z-Alarm would do -- it logged every outgoing connection, including  the addresses, local and remote ports, and processes calling the connection.  It can also be set to block, but I have that taken care of at the firewall.

Thanks!

JS

AutoRuns.txt
0
 

Author Comment

by:ifbmaysville
ID: 21901662
Got sidetracked with other tasks.  Worked on this some over the weekend.  Found a shortcut to an .rtf file that linked back to the address (school newsletter).  Deleted it, but it not fix the issue.

Changed the time on machine to see if I could get the event to trigger so I could capture w/ procmon, but that did not work either.   Looks like it's a 2:30AM trip into the office to capture manually.

Thanks for the assistance.  I will post the procmon results tomorrow.

JS

0
 

Author Comment

by:ifbmaysville
ID: 21910507
Ran procmon in conjunction w/ X-Netstat.  Set X-Netstat to start procmon.exe whenever www.sjsd.k12.mo.us attempted a connection.  I have attached a capture file edited to correlate to the following X-Netstat entry (rename file from .log to .pml and open in procman):

[3:06:15 AM] New   : www.sjsd.k12.mo.us  <3972/80>    (Syn sent)    [svchost.exe]

Notice where the X-Netstat calls the procmon.exe file -- this is where the connection attempt is taking place.  I had to disable the rule as it continued to open instances of procmon.  I kept only the first window spawned open.

I am thinking the connection attempt is being spawned by the Farstone Drive Clone program?

Thanks!

JS
Logfile.log
0
 
LVL 7

Expert Comment

by:Dauhee
ID: 21919181
I appear to have a different version of procmon.exe (incompatible version error) and can't open up the file unfortunately (after changing extension)

you have probably already proceeded to disable the Farstone Drive Clone program & related services and will see next time if there is any nocturnal browsing activity :)
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:ifbmaysville
ID: 21919386
Actually, I ran the "openfiles" utility last night.  I set X-Netstat to open a batch file with the command "C:\windows\system32\openfiles >> c:\openfiles.txt" whenever the event triggered.  Hoped to be able to compair the open files over a series of events.  Unfortunately, I forgot to enable "local" on the machine.  Will fix my mistake and try again tonight.

Did not uninstall the DriveClone yet as I did not want to taint the results of the openfiles, incase DriveClone is manipulating an infected file.  Need to make sure I have the root cause.

Thanks!

JS
0
 

Author Comment

by:ifbmaysville
ID: 21919450
I double checked the procmon file I attached to make sure it was not corrupted during upload.  It works fine on the version of procmon I am running: Process Monitor v. 1.33.  

Thanks!

JS
0
 
LVL 7

Expert Comment

by:Dauhee
ID: 21920333
ah I have v 1.3.5 and can't find the older version - would have expected backwards compatibility!!
0
 

Author Comment

by:ifbmaysville
ID: 22036579
I uninstalled the Farstone DriveClone, but it did not solve the problem.  However, I also was able to run the openfiles utility.  File is attached.  

Any ideas on where to look now?

Thanks,

JS







openfiles080717.txt
0
 
LVL 7

Expert Comment

by:Dauhee
ID: 22041941
cool will take a look :)
0
 
LVL 7

Assisted Solution

by:Dauhee
Dauhee earned 400 total points
ID: 22042016
apologies but I couldn't determine if there was any abnormal activity from the output. I was unable to get my hands on the correct version of procmon.exe to view the output - I would be hopeful that there is something useful/lurking in there.

Just wondering if you have auditing turned on - sometimes in the security event log you can see activity such as other machines connecting - just in case it was something crazy like a scheduled task on another machine doing some sort of rpc call - if not if you could turn on extended security auditing for the 2:30 activity.

for example using sysinternals psexec to launch a command on a remote machine

The fact its not a malicious site would indicate its something silly (but incredibly complicated!) in a configuration - if not on the actual server it could be something remote! winmgmt comes under the umbrella of svchost so could also be WMI call, again done remotely.

(Just jotting a few things down my not be able to answer any more questions in the next while)

Best of luck!
0
 

Author Comment

by:ifbmaysville
ID: 22043023
Thank you.  Didn't think about checking the event logs and comparing with my other data.  They are turned on, though I need to expand the data they log.

There are several mapped drives to the DC, as well as a few shared printers.  I'll check out the RPC idea -- it's a possibility.  However, I don't see how it be coming from the www.sjsd.k12.mo.us site.  We have cascading SPI firewalls in place, and I have the IP address blocked outbound (so no holes can be opened).

JS
0
 
LVL 7

Expert Comment

by:Dauhee
ID: 22043135
Hi JS,

Was thinking more along the lines of possibility something within your lan such as another user computer or server initiating the action.
0
 

Author Comment

by:ifbmaysville
ID: 22043330
Thanks for the follow-up, Dauhee.  There are several computers that use a shared printer on this machine, as well as this machine mapping drives and using printers on a DC.  I'm checking out the DC today.

Checked out the audit logs.  Nothing there that corresponded to the X-Netstat logs.  However, there were a few other errors (DCOM, SceCli) that I cleaned up.  Turned on Process Auditing for over the weekend.  See if that reveals anything.

Also, I turned off system restore to delete any restore points.  Always a good policy when cleaning up a virus; figured it couldn't hurt.

Thanks for the input!  Sorry this is so extended.  One man IT dept covering 3 locations.  Keeps me busy.

JS
0
 

Author Comment

by:ifbmaysville
ID: 22043490
I believe we have discovered the culprit:

Pouring over the openfiles log, I noted Windows Defender running at the same time the event was happening (the MSASCui.exe file).  On a wild hair, I ran a manual, full Windows Defender scan yesterday afternoon.  I had to leave before it finished.  This AM, I forgot to check my fw logs from yesterday afternoon to see if any activity triggered.  It did @ 17:56:09 through 18:04:40.  The WinDef scan ended @ 17:59:42.  Looks like it is the trigger.

Checking back in the system logs on the machine, WinDef starts a scan between 1:40AM and 2:10AM and ends between 2:39AM and 3:15AM, the same time frame the event triggers every AM.

I'm guessing when it scans system restore points, it hits a copy of the shortcut to the online newsletter @ www.sjsd.k12.mo.us.  It tries to call the newsletter so it can scan, triggering the attempted to map the resource.  now I'm wishing I had not deleted the restore points so quickly -- I'd like to test again.

I am starting another manual, full WinDef scan now.  Hopefully, we have no access attempts.  If we do, at least we have a new starting point...  

Thanks again!

JS
0
 
LVL 7

Expert Comment

by:Dauhee
ID: 22043645
wow you're a 1 man army the 3 sites are lucky to have you!! very interesting about WinDef. I won't speak too soon until you get confirmation on the results :) If that is the issue, I'll be sticking it in my black book. Reminds me of the time I found a port-blocking issue with google desktop . . . . .

0
 

Author Comment

by:ifbmaysville
ID: 22052902
Here's what we know after the weekend:

Windows Defender is the trigger.  It is a reproduceable event.

My early guess as to why is incorrect.  Even with the restore points gone, the call to the remote site still occurred.

Today, I searched the DC for the URL.  It showed up in a shared folder used for backups by the offending machine (Favorites backup).  I deleted the shortcuts and rescanned the machine.  It is still making the remote call.

At least we know the trigger, and it is reproduceable.  

I've researched how WinDef logs it's scans, but cannot find anywhere how to make it log every file it scans with a timestamp.  The histories show only suspect or infected files that were scanned.

Thanks!

JS
0
 

Author Closing Comment

by:ifbmaysville
ID: 31469221
Thanks for the suggestions and ideas on tracking this issue down.  At least I now know what is triggering it.  Should be able to handle it from here.  Will post a follow-up when I have found the actual culprit.  At least it is benign!
0
 

Author Comment

by:ifbmaysville
ID: 22245343
Here's the final resolution:

I had to run Windows Defender manually, progressively deselecting scanned directories.  I finally got the scan down to the user's profile, the "My Recent Documents" folder.

There was a shortcut located there named "newsletter_temp.lnk."

That shortcut linked to a newsletter located at www.sjsd.k12.mo.us.  Whenever Windows Defender scanned, it would try to call the newsletter so it could scan it.

I removed the shortcut, and a subsequent WinDef scan did not trigger the event.

You were correct, Dauhee -- something silly, but difficult to find.

Many thanks!

JS
0
 
LVL 7

Expert Comment

by:Dauhee
ID: 22271414
Hi ifbmaysville,

Much appreciated for the update! I certainly won't forget that one in a hurry

Best of luck in your future endeavors :)

Dauhee.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Let’s list some of the technologies that enable smooth teleworking. 
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now