• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 419
  • Last Modified:

Computer trying to create remote file share every day around 2:30AM. How can I find the program trying to do this?

I have a machine apparently trying to create a remote file share to an address on the Internet.  The web address is a legitimate site (a local school district).  We caught this on our perimeter FW as we block all outbound NETBIOS/TCP and port 445 connections.  We have since blocked all traffic to the IP address using our interior firewall.  Any suggestions of what could be trying to make the connections?  How do I locate the offending program?

We run a managed Symantec Corp. Ed. vscan, and the machine shows as clean.  The machine is also attached to a domain, and is assigned restricted user rights (cannot install programs).  

I ran X-NETSTAT on the machine to see if I could locate the process initiating the connections.  Here are the relevant log entries:

[2:36:03 AM] New   : www.sjsd.k12.mo.us            <3852/139>   (Syn sent)    [System]
[2:36:23 AM] New   : www.sjsd.k12.mo.us            <3853/80>    (Syn sent)    [svchost.exe]
[2:36:48 AM] New   : www.sjsd.k12.mo.us            <3854/445>   (Syn sent)    [System]
[2:36:53 AM] New   : www.sjsd.k12.mo.us            <3855/139>   (Syn sent)    [System]
[2:38:14 AM] New   : www.sjsd.k12.mo.us            <3867/445>   (Syn sent)    [System]
[2:38:19 AM] New   : www.sjsd.k12.mo.us            <3868/139>   (Syn sent)    [System]
[2:38:39 AM] New   : www.sjsd.k12.mo.us            <3871/80>    (Syn sent)    [svchost.exe]
[2:39:04 AM] New   : www.sjsd.k12.mo.us            <3872/445>   (Syn sent)    [System]
[2:39:09 AM] New   : www.sjsd.k12.mo.us            <3873/139>   (Syn sent)    [System]

I also ran a windows utility (wmic.exe) to see which processes/tasks where calling svchost.  The files are attached.

There was a share created in Network Neighborhood, which has been removed, and all references to the URL and IP address in the registry have been removed.


ProcessList.txt
taskList.txt
0
ifbmaysville
Asked:
ifbmaysville
  • 16
  • 9
  • 5
5 Solutions
 
r-kCommented:
I'll review the Process and Tasklists in a few minutes, but it would help if you can attach a HijackThis log from the offending computer.

Download HijackThis from http://www.hijackthis.de/
(use the "direct download" link in the upper-right corner)
Unzip to any folder on your hard drive (other than the desktop)
Run the program by double-clicking on the HijackThis.exe file.
Click on "Do a System Scan.."
Copy-and-paste the resulting log here.

Thanks.
0
 
ifbmaysvilleAuthor Commented:
Here is the HijackThis log.  I have redacted entries that contained local domain and user information.

Thanks!

JS
hijackthis.log
0
 
r-kCommented:
The HJT log is clean (you can check yourself by posting it back to http://www.hijackthis.de/ if you like).

The task and process lists you posted earlier also seem normal.

Is it possible you're looking at the wrong machine, i.e. some other machine may be the culprit?

If you're sure that you have the right machine, then we should consider a rootkit. Try RootkitRevealer on that machine:

Download and run RootkitRevealer from: http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx
and click on "Scan" to scan your drives.
It takes a while, so be patient.
Try not to use the system too much during that time to avoid false positives.
If it produces anything interesting, use "File -> Save As.." to save the
results to a text file (Important -> you may need that file later)
Copy-and-paste the results here, but if the results are very long, then just copy-and-paste the
first 30 lines or so.
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
ifbmaysvilleAuthor Commented:
It's definitely the correct machine.  The MAC address in the FW log matches the MAC address of the Ethernet adapter on the machine in question.

I'll try out the rootkit detection utility.  Will have to wait until this evening.

Thanks!

JS
0
 
DauheeCommented:
you can use sysinternals procmon.exe - just start the monitoring tool just before the mapping is to take place and then press the capture button to stop further checking after the attempt has been made - that will give you the process, registry and file interrogations etc
0
 
ifbmaysvilleAuthor Commented:
I ran both Sysinternals rootkitrevealer and Sophos Anti-Rootkit.  Niether had anything of interest:
________
rootkitrevealer:

HKLM\SECURITY\Policy\Secrets\SAC*      8/12/2004 12:36 AM      0 bytes      Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI*      8/12/2004 12:36 AM      0 bytes      Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed      6/21/2008 8:30 AM      80 bytes      Data mismatch between Windows API and raw hive data.
C:\WINDOWS\Temp\TMP0000052890532BBD70A32496      6/21/2008 8:38 AM      512.00 KB      Hidden from Windows API.
_________________________
Sophos:

Area:      Windows registry
Description:      Hidden registry key
Location:      \HKEY_USERS\S-1-5-21-1409082233-1592454029-682003330-1113\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.local:8080/weblogpub/information_technology_1171065380/attach?type=direct&act=binfile&prm=s%2Ba1tdq8tLPksLDg5trh6ubatdrkvea1tLK04w%3D%3D
Removable:      No
Notes:      (no more detail available)

Area:      Windows registry
Description:      Hidden registry key
Location:      \HKEY_USERS\S-1-5-21-1409082233-1592454029-682003330-1113\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.local:8080/weblogpub/information_technology_1171065380/attach?type=direct&act=binfile&prm=tLy9tbXatrewtrLnvLPa4erm2rXa4ba05L20t70%3D
Removable:      No
Notes:      (no more detail available)
(these appear to be an entries related to our internal blog server)
_______________________

Thanks for procman.exe idea -- I'll try to run that tonight.

JS

0
 
DauheeCommented:
oh just thought you could try "openfiles" also - if there is a process that you suspect from procmon.exe (could even be a native windows one), you might see some unusual file activity - often when a system has been compromised, data is recorded somewhere on the filesystem - openfiles may point you to where that is (if it is a malicous threat)
0
 
r-kCommented:
Try Autoruns also:

(1) Download Autoruns from: http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
(2) Run the program. It lists a bunch of things that start when Windows starts.
(3) From the menu bar, select Options, and uncheck "Include Empty Locations" and "check" "Hide Microsoft Entries"
    Important -> Then click the Refresh button in the toolbar.
(4) This will give you a shorter, more meaningful list.
(5) Post it here.

Thanks.

0
 
ifbmaysvilleAuthor Commented:
I've already been through all the startup info using msconfig and spybot s&d.  However, I'll run the utility to see how it works.  Might be a better alternative to msconfig.  I'll post the results.

FYI, I converted the URL and IP address to hex strings, and did a registry search for the values, just to see if it was being hidden that way.  May do a full file search as well.

Thanks!

JS
0
 
r-kCommented:
Thanks for the update. Autoruns is much more complete than msconfig, spybot, or HJT. I am hoping something will show there, perhaps in the scheduled tasks section (you did check that already, I hope).
0
 
r-kCommented:
As an option, if possible, you can install the free version of ZoneAlarm on that PC. By default it blocks outgoing connections and let's you know with a warning as well as saves a log. May pin it down further.
0
 
ifbmaysvilleAuthor Commented:
I ran the autoruns utility today.  I did not suspect a "scheduled" event, as it does not happen at the same time every AM.  It is within the time frame of 2:30 and 3:30 AM, but the exact time of starting/ending is always different.  
Find attached the autruns file.
Have not run procmon yet:  looking for a way to automate.
The X-Netstat program I ran basically did what Z-Alarm would do -- it logged every outgoing connection, including  the addresses, local and remote ports, and processes calling the connection.  It can also be set to block, but I have that taken care of at the firewall.

Thanks!

JS

AutoRuns.txt
0
 
ifbmaysvilleAuthor Commented:
Got sidetracked with other tasks.  Worked on this some over the weekend.  Found a shortcut to an .rtf file that linked back to the address (school newsletter).  Deleted it, but it not fix the issue.

Changed the time on machine to see if I could get the event to trigger so I could capture w/ procmon, but that did not work either.   Looks like it's a 2:30AM trip into the office to capture manually.

Thanks for the assistance.  I will post the procmon results tomorrow.

JS

0
 
ifbmaysvilleAuthor Commented:
Ran procmon in conjunction w/ X-Netstat.  Set X-Netstat to start procmon.exe whenever www.sjsd.k12.mo.us attempted a connection.  I have attached a capture file edited to correlate to the following X-Netstat entry (rename file from .log to .pml and open in procman):

[3:06:15 AM] New   : www.sjsd.k12.mo.us  <3972/80>    (Syn sent)    [svchost.exe]

Notice where the X-Netstat calls the procmon.exe file -- this is where the connection attempt is taking place.  I had to disable the rule as it continued to open instances of procmon.  I kept only the first window spawned open.

I am thinking the connection attempt is being spawned by the Farstone Drive Clone program?

Thanks!

JS
Logfile.log
0
 
DauheeCommented:
I appear to have a different version of procmon.exe (incompatible version error) and can't open up the file unfortunately (after changing extension)

you have probably already proceeded to disable the Farstone Drive Clone program & related services and will see next time if there is any nocturnal browsing activity :)
0
 
ifbmaysvilleAuthor Commented:
Actually, I ran the "openfiles" utility last night.  I set X-Netstat to open a batch file with the command "C:\windows\system32\openfiles >> c:\openfiles.txt" whenever the event triggered.  Hoped to be able to compair the open files over a series of events.  Unfortunately, I forgot to enable "local" on the machine.  Will fix my mistake and try again tonight.

Did not uninstall the DriveClone yet as I did not want to taint the results of the openfiles, incase DriveClone is manipulating an infected file.  Need to make sure I have the root cause.

Thanks!

JS
0
 
ifbmaysvilleAuthor Commented:
I double checked the procmon file I attached to make sure it was not corrupted during upload.  It works fine on the version of procmon I am running: Process Monitor v. 1.33.  

Thanks!

JS
0
 
DauheeCommented:
ah I have v 1.3.5 and can't find the older version - would have expected backwards compatibility!!
0
 
ifbmaysvilleAuthor Commented:
I uninstalled the Farstone DriveClone, but it did not solve the problem.  However, I also was able to run the openfiles utility.  File is attached.  

Any ideas on where to look now?

Thanks,

JS







openfiles080717.txt
0
 
DauheeCommented:
cool will take a look :)
0
 
DauheeCommented:
apologies but I couldn't determine if there was any abnormal activity from the output. I was unable to get my hands on the correct version of procmon.exe to view the output - I would be hopeful that there is something useful/lurking in there.

Just wondering if you have auditing turned on - sometimes in the security event log you can see activity such as other machines connecting - just in case it was something crazy like a scheduled task on another machine doing some sort of rpc call - if not if you could turn on extended security auditing for the 2:30 activity.

for example using sysinternals psexec to launch a command on a remote machine

The fact its not a malicious site would indicate its something silly (but incredibly complicated!) in a configuration - if not on the actual server it could be something remote! winmgmt comes under the umbrella of svchost so could also be WMI call, again done remotely.

(Just jotting a few things down my not be able to answer any more questions in the next while)

Best of luck!
0
 
ifbmaysvilleAuthor Commented:
Thank you.  Didn't think about checking the event logs and comparing with my other data.  They are turned on, though I need to expand the data they log.

There are several mapped drives to the DC, as well as a few shared printers.  I'll check out the RPC idea -- it's a possibility.  However, I don't see how it be coming from the www.sjsd.k12.mo.us site.  We have cascading SPI firewalls in place, and I have the IP address blocked outbound (so no holes can be opened).

JS
0
 
DauheeCommented:
Hi JS,

Was thinking more along the lines of possibility something within your lan such as another user computer or server initiating the action.
0
 
ifbmaysvilleAuthor Commented:
Thanks for the follow-up, Dauhee.  There are several computers that use a shared printer on this machine, as well as this machine mapping drives and using printers on a DC.  I'm checking out the DC today.

Checked out the audit logs.  Nothing there that corresponded to the X-Netstat logs.  However, there were a few other errors (DCOM, SceCli) that I cleaned up.  Turned on Process Auditing for over the weekend.  See if that reveals anything.

Also, I turned off system restore to delete any restore points.  Always a good policy when cleaning up a virus; figured it couldn't hurt.

Thanks for the input!  Sorry this is so extended.  One man IT dept covering 3 locations.  Keeps me busy.

JS
0
 
ifbmaysvilleAuthor Commented:
I believe we have discovered the culprit:

Pouring over the openfiles log, I noted Windows Defender running at the same time the event was happening (the MSASCui.exe file).  On a wild hair, I ran a manual, full Windows Defender scan yesterday afternoon.  I had to leave before it finished.  This AM, I forgot to check my fw logs from yesterday afternoon to see if any activity triggered.  It did @ 17:56:09 through 18:04:40.  The WinDef scan ended @ 17:59:42.  Looks like it is the trigger.

Checking back in the system logs on the machine, WinDef starts a scan between 1:40AM and 2:10AM and ends between 2:39AM and 3:15AM, the same time frame the event triggers every AM.

I'm guessing when it scans system restore points, it hits a copy of the shortcut to the online newsletter @ www.sjsd.k12.mo.us.  It tries to call the newsletter so it can scan, triggering the attempted to map the resource.  now I'm wishing I had not deleted the restore points so quickly -- I'd like to test again.

I am starting another manual, full WinDef scan now.  Hopefully, we have no access attempts.  If we do, at least we have a new starting point...  

Thanks again!

JS
0
 
DauheeCommented:
wow you're a 1 man army the 3 sites are lucky to have you!! very interesting about WinDef. I won't speak too soon until you get confirmation on the results :) If that is the issue, I'll be sticking it in my black book. Reminds me of the time I found a port-blocking issue with google desktop . . . . .

0
 
ifbmaysvilleAuthor Commented:
Here's what we know after the weekend:

Windows Defender is the trigger.  It is a reproduceable event.

My early guess as to why is incorrect.  Even with the restore points gone, the call to the remote site still occurred.

Today, I searched the DC for the URL.  It showed up in a shared folder used for backups by the offending machine (Favorites backup).  I deleted the shortcuts and rescanned the machine.  It is still making the remote call.

At least we know the trigger, and it is reproduceable.  

I've researched how WinDef logs it's scans, but cannot find anywhere how to make it log every file it scans with a timestamp.  The histories show only suspect or infected files that were scanned.

Thanks!

JS
0
 
ifbmaysvilleAuthor Commented:
Thanks for the suggestions and ideas on tracking this issue down.  At least I now know what is triggering it.  Should be able to handle it from here.  Will post a follow-up when I have found the actual culprit.  At least it is benign!
0
 
ifbmaysvilleAuthor Commented:
Here's the final resolution:

I had to run Windows Defender manually, progressively deselecting scanned directories.  I finally got the scan down to the user's profile, the "My Recent Documents" folder.

There was a shortcut located there named "newsletter_temp.lnk."

That shortcut linked to a newsletter located at www.sjsd.k12.mo.us.  Whenever Windows Defender scanned, it would try to call the newsletter so it could scan it.

I removed the shortcut, and a subsequent WinDef scan did not trigger the event.

You were correct, Dauhee -- something silly, but difficult to find.

Many thanks!

JS
0
 
DauheeCommented:
Hi ifbmaysville,

Much appreciated for the update! I certainly won't forget that one in a hurry

Best of luck in your future endeavors :)

Dauhee.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 16
  • 9
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now