vlsllp
asked on
Keylog-Ultimate.dll Virus on Windows Server 2008 R2 SP1
I am currently managing a SQL Server 2008 R2. I've installed programs such as McAfee Enterprise + AntiSpyware Enterprise 8.8, Kapersky TDSSKILLER and Malwarebytes 1.60.1.1000. These programs are scheduled to run/update everyday. In addition, we are using RDS w/ user CAL licensing which i hear is not secured, but we need it.
A few weeks ago, we encountered a type of malware called ransomware on our server and thought that I successfully removed it. Unfortunately that led to another issue, I noticed a Key logger program planted into my server that McAfee picked up. here is the log:
- D:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe C:\Windows\AppCompat\KAwar
- C:\Windows\Explorer.EXE E:\decrypterpv\dc.exe Ransom-BA (Trojan)
- C:\Users\sys\Desktop\Setup
The software ran another scan last night and picked up:
- 3:04:49 AM Deleted administrator ODS(Full Scan) c:\Documents and Settings\sys\Desktop\Setup
- 3:04:59 AM Delete failed (Clean failed) administrator ODS(Full Scan) c:\Users\sys\Desktop\Setup
- 4/6/2012 3:05:08 AM Deleted (Clean failed) administrator ODS(Full Scan) c:\Documents and Settings\sys\Downloads\KRy
- 4/6/2012 3:05:18 AM Delete failed (Clean failed) administrator ODS(Full Scan) c:\Users\sys\Downloads\KRy
How do I prevent this? are they getting in my network through a backdoor? does RDS play a big role in this case? is there another level of security I can implement? I'll appreciate your help!
A few weeks ago, we encountered a type of malware called ransomware on our server and thought that I successfully removed it. Unfortunately that led to another issue, I noticed a Key logger program planted into my server that McAfee picked up. here is the log:
- D:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe C:\Windows\AppCompat\KAwar
- C:\Windows\Explorer.EXE E:\decrypterpv\dc.exe Ransom-BA (Trojan)
- C:\Users\sys\Desktop\Setup
The software ran another scan last night and picked up:
- 3:04:49 AM Deleted administrator ODS(Full Scan) c:\Documents and Settings\sys\Desktop\Setup
- 3:04:59 AM Delete failed (Clean failed) administrator ODS(Full Scan) c:\Users\sys\Desktop\Setup
- 4/6/2012 3:05:08 AM Deleted (Clean failed) administrator ODS(Full Scan) c:\Documents and Settings\sys\Downloads\KRy
- 4/6/2012 3:05:18 AM Delete failed (Clean failed) administrator ODS(Full Scan) c:\Users\sys\Downloads\KRy
How do I prevent this? are they getting in my network through a backdoor? does RDS play a big role in this case? is there another level of security I can implement? I'll appreciate your help!
Is there a business reason why users that rdp into the server have administrative (install) privileges? Have you considered remote app for programs that need administrator privileges? How about turning on internet explorer security for non-admins? How can you or your company justify the security risk presented that allowed this to happen in the first place. In many environments once something is discovered as compromised then the entire server is rebuilt as it can no longer be trusted.
Don't create the mess then you don't have to clean up a mess.. Unfortunately you have to treat users like preschool children you have to monitor, and protect them from themselves
Don't create the mess then you don't have to clean up a mess.. Unfortunately you have to treat users like preschool children you have to monitor, and protect them from themselves
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ve3ofa, yes there are special reasons why we grant our users administrative privileges.
Then BACKUP, BACKUP, BACKUP,
7 Daily's, 4 weekly, 12 monthly, and 7 years annual.
Then BACKUP, BACKUP, BACKUP,
7 Daily's, 4 weekly, 12 monthly, and 7 years annual.
ASKER
thanks
ASKER
Thanks I will try that!
http://www.uninstall-spyware.com/uninstallUltimateKeylogger.html