Solved

Weird Default WBDService

Posted on 2010-09-17
6
502 Views
Last Modified: 2012-05-10
Ok guys, I'm a tech and network admin, and have come across something that has me stumped.  I have a Windows 2003 server running IIS that hosts multiple web sites.  About every 2-3 nights the system stops serving web sites completely.  I have done some digging and have found a service installed called Default WBDService.  This goes to a file called upsvr.exe.  Description of the service is "Support Windows File Search Servers Databases.".  When I kill that running process and disable the service everything works fine again.  I have found nothing on this file name, service name, or description on the web.  

Anyone have any thoughts?  This has all the makings of a virus type file, or a backdoor, rootkit, something, but virus scanners say the file is clean.  Have I been hacked?
0
Comment
Question by:mozarks
  • 4
  • 2
6 Comments
 
LVL 9

Accepted Solution

by:
michaelaknight earned 500 total points
Comment Utility
Well, if you can't find that service anywhere online, it would lead me to believe that it's a rouge application. My first thought is that upsvr is taking over port 80 periodically as you say and confusing the server into not serving pages at all. Hence when you kill the service, IIS is once again able to serve over 80.
I just checked a couple 2k3/II6 machines that are actively serving pages and see no sign of this service. There's no harm in disabling it obviously, so why not do a search in regedit for upsvr.exe and just delete the keys (backup first if you are uncomfortable) see if they stay deleted/disabled.
what does uploading the file to http://www.virustotal.com/ have to say about it?
0
 
LVL 2

Author Comment

by:mozarks
Comment Utility
I've removed the service before and it comes back, leading me to further believe that, as you way, it's a rogue app.  Any idea of a .Net application that another user has done could possibly be causing this?  Nobody else has access to this server to install anything, at least not that I know of.  I have one web app on that is a .Net app that the coder who did it is not very experienced.  I've been blaming my locking up issues on that app until I found this not too long ago.  

I think your assessment of the situation is accurate - was just hoping someone would recognize what this service and / or file might be doing.  

Not familiar with VirusTotal.  Thanks for that info!
0
 
LVL 2

Author Comment

by:mozarks
Comment Utility
I have tracked down some more info.  From VirusTotal.com I get a response of BDS/Backdoor.Gen from Avira.  There's another file that is suspicious that I've found that resembles something important that may be related as well - labeled as "Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\Windows\System32\msdtcsvc.exe.  I upload this one to virutotal.com and I get the BDS/Backdoor.Gen as well.  I know that MSDTC is a valid service so I compared this to some of my other servers and on those the service goes to the file msdtc.exe instead of msdtcsvc.exe.  So, it's looking more and more like this server has been hacked.  

0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 9

Expert Comment

by:michaelaknight
Comment Utility
yeah, msdtc is a valid service, msdtcsvc is definately malware. Since Avira seems to at least recognize it, you could use Avira's portable boot CD to clean the files: http://thepcsecurity.com/virus-scan-boot-disk-from-avira/ you'd have to bring the box down for an hour or so, but better that than a day down the line.
0
 
LVL 2

Author Comment

by:mozarks
Comment Utility
I think I'm going to one even better and move the sites I have on here to another server and just reload this one.  Thanks for the comments back and forth.  Always helps to have a second opinion on these things.  
0
 
LVL 2

Author Closing Comment

by:mozarks
Comment Utility
Good response.  Appreciate the time taken to help out.  
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

Debug Tools to analyse IIS process: This article focus on taking memory dumps from IIS to determine which code is taking more time and to analyse which calls hangs/causes more CPU usage. To take dumps,download the following. Install1: To st…
Periodically we have to update or add SSL certificates for customers. Depending upon your hosting plan you may be responsible for the installation and/or key generation. In the wake of Heartbleed many sites were forced to re-key. We will concen…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now