mozarks
asked on
Weird Default WBDService
Ok guys, I'm a tech and network admin, and have come across something that has me stumped. I have a Windows 2003 server running IIS that hosts multiple web sites. About every 2-3 nights the system stops serving web sites completely. I have done some digging and have found a service installed called Default WBDService. This goes to a file called upsvr.exe. Description of the service is "Support Windows File Search Servers Databases.". When I kill that running process and disable the service everything works fine again. I have found nothing on this file name, service name, or description on the web.
Anyone have any thoughts? This has all the makings of a virus type file, or a backdoor, rootkit, something, but virus scanners say the file is clean. Have I been hacked?
Anyone have any thoughts? This has all the makings of a virus type file, or a backdoor, rootkit, something, but virus scanners say the file is clean. Have I been hacked?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have tracked down some more info. From VirusTotal.com I get a response of BDS/Backdoor.Gen from Avira. There's another file that is suspicious that I've found that resembles something important that may be related as well - labeled as "Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\Windows\System32\msdtcs vc.exe. I upload this one to virutotal.com and I get the BDS/Backdoor.Gen as well. I know that MSDTC is a valid service so I compared this to some of my other servers and on those the service goes to the file msdtc.exe instead of msdtcsvc.exe. So, it's looking more and more like this server has been hacked.
yeah, msdtc is a valid service, msdtcsvc is definately malware. Since Avira seems to at least recognize it, you could use Avira's portable boot CD to clean the files: http://thepcsecurity.com/virus-scan-boot-disk-from-avira/ you'd have to bring the box down for an hour or so, but better that than a day down the line.
ASKER
I think I'm going to one even better and move the sites I have on here to another server and just reload this one. Thanks for the comments back and forth. Always helps to have a second opinion on these things.
ASKER
Good response. Appreciate the time taken to help out.
ASKER
I think your assessment of the situation is accurate - was just hoping someone would recognize what this service and / or file might be doing.
Not familiar with VirusTotal. Thanks for that info!