Solved

Malware\Hacking tool on server

Posted on 2011-09-23
15
2,499 Views
Last Modified: 2012-05-12
I recently took on a client that has 5 workstations and one server. Of course they had no antivirus on their server and when I logged onto the server using the administrative log on I found a Hacking program running on the server. The program was called FRDPB v1.1.2 and the site it showed on the bottom of the program was www.frdpb.hut2.ru I followed the link and it was a Russian site but couldn't read Russian. Anyway, I used Malwarebytes to remove the virus\hack tool but the next day it is back on the server, my mistake didn't change the admin password after removal. I now have the password changed but I want to make sure this "tool" has been removed and to make sure the server is secure. Unfortunaley the server isn't configured as a domain contoller but does control their workgroup. Also, when I go to log onto the server there are 5 users listed on the startup screen Station 1, Station 2, Station 3, Guest, and Administrator. Now I don't know if this is what I am supposed to see when I go to logon to a 2008 workgroup server but I think it is odd also those users are not listed in the Users section of control panel.

I know I have been long winded but wanted to describe the problem so you have some history. I would like to know first how to get rid of this program and second how to secure this server? I have loaded Trend Micro Worry Free standard onto the server however it didn't seem to stop the hack tool.

Below is the log from Hijackthis and there are quite a few items I am unsure about.

Running processes:
C:\Program Files (x86)\TeamViewer\Version6\TeamViewer.exe
C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe
C:\Program Files (x86)\Trend Micro\Security Server\PCCSRV\Apache2\bin\ApacheMonitor.exe
C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/SoftAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: Trend Micro NSC BHO - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\Module\20004\1.6.1165\6.6.1081\TmIEPlg32.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
O4 - Global Startup: Monitor Apache Servers.lnk = Apache2\bin\ApacheMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O15 - ESC Trusted Zone: http://www.orion-soft.com
O15 - ESC Trusted IP range: http://192.168.1.1
O16 - DPF: {9BBB3919-F518-4D06-8209-299FC243FC44} (Encrypt Class) - https://atlas-jd:4343/SMB/console/html/root/AtxEnc.cab
O16 - DPF: {9DCD8EB7-E925-45C9-9321-8CA843FBEDCC} (Security Server Management Console) - https://atlas-jd:4343/SMB/console/html/root/AtxConsole.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\1.6.1165\6.6.1081\TmIEPlg32.dll
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Unknown owner - C:\Windows\system32\AEADISRV.EXE (file missing)
O23 - Service: Application Services2 (AeLookupsrc2) - Youngzsoft - C:\Windows\system32\dri2\svchost.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Trend Micro Solution Platform (Amsp) - Trend Micro Inc. - C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
O23 - Service: Apache2 - Apache Software Foundation - c:\Program Files (x86)\Trend Micro\Security Server\PCCSRV\Apache2\bin\Apache.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LMIGuardianSvc - LogMeIn, Inc. - C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe
O23 - Service: Intel(R) Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files (x86)\Intel\AMT\LMS.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Trend Micro Security Server Master Service (ofcservice) - Trend Micro Inc. - C:\Program Files (x86)\Trend Micro\Security Server\PCCSRV\web\service\ofcservice.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%Systemroot%\system32\rqs.exe,-200 (rqs) - Unknown owner - C:\Windows\system32\rqs.exe (file missing)
O23 - Service: @gpapi.dll,-114 (RSoPProv) - Unknown owner - C:\Windows\system32\RSoPProv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: TeamViewer 6 (TeamViewer6) - TeamViewer GmbH - C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe
O23 - Service: Trend Micro Smart Scan Service (TMiCRCScanService) - Trend Micro Inc. - C:\Program Files (x86)\Trend Micro\Security Server\PCCSRV\WSS\iCRCService.exe
O23 - Service: Trend Micro Security Agent Communicator (TmListen) - Trend Micro Inc. - C:\Program Files\Trend Micro\Security Agent\tmlisten.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Intel(R) Management and Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files (x86)\Common Files\Intel\Privacy Icon\UNS\UNS.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

--
End of file - 7083 bytes


Thank You
0
Comment
Question by:tparus
  • 4
  • 3
  • 3
  • +2
15 Comments
 
LVL 7

Expert Comment

by:mrhamen
ID: 36587931
When you ran this scan did you have Internet Explorer running in the background? I only ask because I have run into a couple infections lately that were causing Internet Explorer to be running in the background and I notice two instances running on this scan.

Have you run a full virus scan with an antivirus tool of your choice? Trendmicro and McAfee both have online versions that you can scan the system with for free.

I've also started running TDSSKiller on all the boxes that I suspect may have some sort of infection.
0
 

Author Comment

by:tparus
ID: 36588124
As for your first question I don't believe I was running IE however I might have had it open to this site when I ran Hijackthis.

I ran a full scan of Malwarebytes and it found nothing however when I first discovered this program running it found a bunch of Trojans and Malware but those were removed and when I logged on today and saw that program running again I ended the program deleted the user it had created then ran that program again and it found nothing. When I ran Trend Micro it found a few trojans and cleaned them. When I ran TDSSKiller it found nothing as well.

One other thing I am having problems with is Windows Update, it will not update. I have ran a script to regestier the DLL's and restart the services but it still wont update. When I look at the Hijackthis log there are alot of entries where the files are missing, what needs to be done on those?
0
 
LVL 7

Expert Comment

by:mrhamen
ID: 36588137
What error messages are you getting when trying to run windows update?
0
 

Author Comment

by:tparus
ID: 36588315
I get two errors. When I run update it says it has 5 updates to install and starts with KB2616676 which gets error code 80070426 then it tries to install IE9 and gets error code C355. After those two updates fail it tells me that all 5 updates have failed. I don't know if this has anything to do with it but I was able to install Service Pack 1 but after that I started encountering errors. It was after the installation of SP1 I discovered this hacking tool and removed it so I think all these problems are related to the removal of the Trojan(s).
0
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 36588498
malwarebytes has to be run in safemode to remove all traces of malware
0
 
LVL 7

Expert Comment

by:mrhamen
ID: 36588974
Can you check and see if the Cryptographic Service are running when you are trying to run the updates.If not start it and then run updates.
0
 
LVL 15

Accepted Solution

by:
Russell_Venable earned 250 total points
ID: 36595494
Hi tparus,
As far as the tool goes frdpb is a bruteforce tool for remote desktop.

There are 3 items used in this attack:

1.) frdpb (RDP Bruteforce tool)
2.) RDP.nse (Nmap port scanner script w/Nmap of course)
3.) A batch file to help automate the scanning for vulnerable hosts.

I received a copy of this tool along with instructions on how to use it. The reason I am explaining this is so you have an understanding of how this person gained access to your server.

Analysis of the tool shows it connects to the normal RDP port on 3389 and begins it's attack with a dictionary file of passwords and usersnames it wishes to try for. I believe you had a weak password installed on the server or it was easy guessable. I have the password list used by the tool itself as well through thorough investigation.

It also appears the tool is no longer being hosted from that site and is no longer a distribution site just a file hosting server.

If you wish to protect your server from such attacks you can block remote access to the port 3389 to all users remotely or filter the incoming requests to only certain domain/ip addresses are accepted or completely disable RDP all together. You have already effectively changed your password which was a excellent step tirades protecting your server. Make sure you password has atleast a minimum of 2 uppercase letters, 2 numeric digits, 2 special characters, a password length of atleast 12 characters.  This should help against bruteforce attacks like this as it would take them years for them to just guess.

@Greg_Hejl Hi,
Safemode has not been a good suggestion for a while now being that for one malwarebytes scanner is designed to be run with in normal mode and safemode disables portions of the scanner itself. Only suggest safemode when a user cannot access through normal mode. Most removal tools are designed this way and safemode is just not the right solution for safety of the user and a better removal experience. There is another caveat for this as well. If the malware is a destructive malware it is suggested to not run the system at all and either remove th drive and disinfect using a operating system that can mount the drive seperatomg but not run the files on the filesystem or use a livecd that can mount the drive and scan/remove the offending malware. Getting back to safemode topic. If running the tool fails in normal mode it needs to be renamed and thus ran again, some malware detect the window name and kill the process. So it is very important to know how the tool works to make the best solution possible.

Much respect, Russell
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 23

Assisted Solution

by:phototropic
phototropic earned 250 total points
ID: 36595553
There is a long-running post about the safe mode debate:

http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Q_26933025.html?sfQueryTermInfo=1+10+30+mbam+mode+safe

http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Q_24860646.html?sfQueryTermInfo=1+10+30+mbam+mode+safe

Basically, running scans in safe-mode (along with boot disk av's and hdd slaving) are no longer as effective as they once were.  It is far more effective to run a scan on the pc when the rogue processes are running.
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 36595612
Thanks phototropic! Didn't know the links.  :)
0
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 36596725
Thanks for the link phototrophic - I have started running mbam in safe mode because the last two viruses i have battled did not allow mbam to install.\ or run when not in safe mode...  I have had better success with combofix.
0
 

Author Comment

by:tparus
ID: 36600515
Well it looks like the virus/hack tool is no longer running so that is good however can someone look at the Hijackthis file I posted? I shows a bunch of missing files that are system files and I still cannot update the server. Thanks for all the suggestions and info on the hack tool that was on this server.

Weak passwords are always asking for trouble. I'm glad I took this client on when I did otherwise they would have many more problems. It's amazing how companies ignore common security practices for computers and fail to realize the importance of these machines to their organization.
0
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 36602312
sfc /scannow will fix those

need the OS disk

or

http://www.bleepingcomputer.com/forums/topic43051.html
0
 
LVL 23

Expert Comment

by:phototropic
ID: 36602406
It's OK.  The "file missing" report is Hijack This attempting to deal with a 64-bit os.  If you are running 64-bit, just ignore the "file missing" 023 entries.

Here is a great article about this issue:

http://www.experts-exchange.com/Virus_and_Spyware/HijackThis/A_3178-HijackThis-reports-missing-files-on-64-bit-Systems.html
0
 

Author Comment

by:tparus
ID: 36602429
Will this solution work on a Windows 2008 server since it mostly talks about Windows XP.
0
 
LVL 23

Expert Comment

by:phototropic
ID: 36602486
Like I said, if you are running a 64-bit os, you can safely ignore all those 023 "file missing" entries in the HJT log.  It's a bug in HJT. You do not need to run sfc /scannow.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now