Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.
Course Of The Month
Become a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Weird Default WBDService
Posted on 2010-09-17
Ok guys, I'm a tech and network admin, and have come across something that has me stumped. I have a Windows 2003 server running IIS that hosts multiple web sites. About every 2-3 nights the system stops serving web sites completely. I have done some digging and have found a service installed called Default WBDService. This goes to a file called upsvr.exe. Description of the service is "Support Windows File Search Servers Databases.". When I kill that running process and disable the service everything works fine again. I have found nothing on this file name, service name, or description on the web.
Anyone have any thoughts? This has all the makings of a virus type file, or a backdoor, rootkit, something, but virus scanners say the file is clean. Have I been hacked?
Anyone have any thoughts? This has all the makings of a virus type file, or a backdoor, rootkit, something, but virus scanners say the file is clean. Have I been hacked?
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
4
2
6 Comments
Well, if you can't find that service anywhere online, it would lead me to believe that it's a rouge application. My first thought is that upsvr is taking over port 80 periodically as you say and confusing the server into not serving pages at all. Hence when you kill the service, IIS is once again able to serve over 80.
I just checked a couple 2k3/II6 machines that are actively serving pages and see no sign of this service. There's no harm in disabling it obviously, so why not do a search in regedit for upsvr.exe and just delete the keys (backup first if you are uncomfortable) see if they stay deleted/disabled.
what does uploading the file to http://www.virustotal.com/ have to say about it?
I just checked a couple 2k3/II6 machines that are actively serving pages and see no sign of this service. There's no harm in disabling it obviously, so why not do a search in regedit for upsvr.exe and just delete the keys (backup first if you are uncomfortable) see if they stay deleted/disabled.
what does uploading the file to http://www.virustotal.com/ have to say about it?
I've removed the service before and it comes back, leading me to further believe that, as you way, it's a rogue app. Any idea of a .Net application that another user has done could possibly be causing this? Nobody else has access to this server to install anything, at least not that I know of. I have one web app on that is a .Net app that the coder who did it is not very experienced. I've been blaming my locking up issues on that app until I found this not too long ago.
I think your assessment of the situation is accurate - was just hoping someone would recognize what this service and / or file might be doing.
Not familiar with VirusTotal. Thanks for that info!
I think your assessment of the situation is accurate - was just hoping someone would recognize what this service and / or file might be doing.
Not familiar with VirusTotal. Thanks for that info!
I have tracked down some more info. From VirusTotal.com I get a response of BDS/Backdoor.Gen from Avira. There's another file that is suspicious that I've found that resembles something important that may be related as well - labeled as "Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\Windows\System32\msdtcs
yeah, msdtc is a valid service, msdtcsvc is definately malware. Since Avira seems to at least recognize it, you could use Avira's portable boot CD to clean the files: http://thepcsecurity.com/virus-scan-boot-disk-from-avira/ you'd have to bring the box down for an hour or so, but better that than a day down the line.
I think I'm going to one even better and move the sites I have on here to another server and just reload this one. Thanks for the comments back and forth. Always helps to have a second opinion on these things.
Featured Post
Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.
One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Preparing an email is something we should all take special care with – especially when the email is for somebody you may not know very well. The pressures of everyday working life stacked with a hectic office environment can make this a real challen…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash"
After Shake : http://www.videocopilot.net/presets/after_shake/
All lightning effects with instructions : http://www.mediaf…
Suggested Courses
Earn Certification
HTML5 Specialist - Certification
Free withPremium
Course of the Month5 days, 1 hour left to enroll
636 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.