iMonkey69
asked on
Loss of RDP via youngzsoft.com/cn
Good day all. I have a strange occurance and am seeking the Experts whom know a way to work this out.
Recently a Windows 2003 lost RDP access from external or internal connections.
After some snooping I noticed that a telnet to 3389 produced a strange result:
+++º-²¦+¦+ú¼¦d+d-ú+++f+¦-¬ -¦¦¦-= http://www.youngzsoft.com/cn/
CCProxy seems to be associated with the link, which is valid software....If you installed it?? We didn't.
So, scans produced a couple backdoor trojans and were cleaned but the problem persists.
Subsequent scans are clean.
So, I cannot see any programs relating to CCProxy or the like. I'm attaching a Hijack log for review.
Having said all that I DO know that the spoolsv.exe process seems to be the hijacked culprit. A netstat -no produces: <local server IP>:3389 being ESTABLISHED about 20 times with the PID that macthes the spoolsv.exe.
However killing the process does not free it and a reboot re-establishes the port being blocked.
Nonetheless....I'm a little at a loss on how to trouble shoot this further.
Warmest regards,
C HJT.txt
Recently a Windows 2003 lost RDP access from external or internal connections.
After some snooping I noticed that a telnet to 3389 produced a strange result:
+++º-²¦+¦+ú¼¦d+d-ú+++f+¦-¬
CCProxy seems to be associated with the link, which is valid software....If you installed it?? We didn't.
So, scans produced a couple backdoor trojans and were cleaned but the problem persists.
Subsequent scans are clean.
So, I cannot see any programs relating to CCProxy or the like. I'm attaching a Hijack log for review.
Having said all that I DO know that the spoolsv.exe process seems to be the hijacked culprit. A netstat -no produces: <local server IP>:3389 being ESTABLISHED about 20 times with the PID that macthes the spoolsv.exe.
However killing the process does not free it and a reboot re-establishes the port being blocked.
Nonetheless....I'm a little at a loss on how to trouble shoot this further.
Warmest regards,
C HJT.txt
Did you find the answer?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It was a matter of finding the right tool to detect this virus.
ASKER