Link to home
Start Free TrialLog in
Avatar of iMonkey69
iMonkey69

asked on

Loss of RDP via youngzsoft.com/cn

Good day all.  I have a strange occurance and am seeking the Experts whom know a way to work this out.

Recently a Windows 2003 lost RDP access from external or internal connections.
After some snooping I noticed that a telnet to 3389 produced a strange result:

+++º-²¦+¦+ú¼¦d+d-ú+++f+¦-¬-¦¦¦-= http://www.youngzsoft.com/cn/

CCProxy seems to be associated with the link, which is valid software....If you installed it??  We didn't.

So, scans produced a couple backdoor trojans and were cleaned but the problem persists.
Subsequent scans are clean.

So, I cannot see any programs relating to CCProxy or the like.  I'm  attaching a Hijack log for review.

Having said all that I DO know that the spoolsv.exe process seems to be the hijacked culprit.  A netstat -no produces: <local server IP>:3389 being ESTABLISHED about 20 times with the PID that macthes the spoolsv.exe.

However killing the process does not free it and a reboot re-establishes the port being blocked.

Nonetheless....I'm a little at a loss on how to trouble shoot this further.

Warmest regards,
C HJT.txt
Avatar of iMonkey69
iMonkey69

ASKER

I'll update this as I have resolved the issue....thanks.
Did you find the answer?
ASKER CERTIFIED SOLUTION
Avatar of iMonkey69
iMonkey69

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
It was a matter of finding the right tool to detect this virus.