cyrillic/russian text in windows explorer on Windows Server 2007 Standard

Posted on 2014-11-14
Medium Priority
Last Modified: 2014-12-01
Recently, it was brought to my attention that a server running Windows 2007 Standard edition randomly displays Russian webpages in the default browser without having launched the browser. It is also defaulting to Cyrillic text when typing in new folder names, or trying to type in the name of an executable in the Run line, or in typing text in Wordpad on the system. I noticed winrar (ru) was also installed as was Firefox (ru), both of which I uninstalled. I also ran TDSkiller and it found nothing. I ran MalwareBytes as well, with only a minor "Pup" object discovered. I also noticed a .txt file (2K in size) with a name in Russian, and the contents are also in Russian (I see some email addresses in it with @mail.ru. It appears to be a windows install log file of some sort.

I checked the Regional and Language settings in Control Panel and they are all set to the correct, US, settings.
I certainly want to find and remove the cause of what clearly appears to be an infection despite the inability of
the tools I have used to locate and remove it. However, I would first like to reset the Windows Explorer setting(s) that are causing anything I type to appear in the Cyrillic font type. So, any assistance on both the search for and removal of the infection, and the correction of the text would be greatly appreciated.
Question by:ks157
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2

Author Comment

ID: 40443277
Update since this initial post. I happened to log into this server again and noticed a user, "sys", also had an RDP session open (was the same user that had a few browser sessions running with the Russian websites). I checked the account in AD and it had "sys" for the first and last name. I am suspicious that this account was created by a hacker to gain access to the server (it was a member of domain admins). I disabled the account in AD and killed the RDP session. I also noticed (not sure if after these prior actions I mentioned) that the Cyrillic text has ceased and I can now type in Wordpad and explorer and it will appear in English text now, so it seems part of my initial requests have been automatically (best described perhaps as automagically) resolved. I still would appreciate some suggestions on searching out what appears to be malicious activity. I do not administer this system, I was asked to look at it. It also seems way behind on Windows patches, so that will be my next project while I wait for ideas on searching for infections.
LVL 82

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 1000 total points
ID: 40444162
Time to enumerate all the administrative users and change all of their passwords. Unfortunately you have proof of being compromised, the backdoor may still be wide open and no machine in the network can be fully trusted as of now.
LVL 64

Accepted Solution

btan earned 1000 total points
ID: 40446627
It is clearly being compromised with such privileged account created, inform the security or sys admin in charge, isolate the system upon advice (e.g. remove the network cable), do not turn off machine as it is likely to kill off traces and start the tracing and damage assessment as this account activities will have started very early and laterally exploring the file server, database server and critical services at backend. The endpoint are also entry. They are probably trying to exfiltrate loot into the internet via callback via the compromised systems or even via email.

Also change the system login for the machine suspected to be the trail of this activities. This will include user enterprise and even their personnel online login cred as the saved password or during which browsing is done after this will likely be siphoned too.

You can also do a quick check on the hosts file to see if there are any new and suspicious addition (or even duplicate of "hosts" file which one is in unicode filename) likewise and on all browser whether there are any new and unknown plugins installed. The latter may be part of the package installation done recently or certain site (with mal-advertising) visited which you have allowing unknowing too..this can also include plugins for MS Office and Adobe Reader.

Nonetheless, AV scan and network security log analysis must ensure concurrently as damage can be spreading while the data leaking is ongoing. key now is to isolate, mitigate and analysis source of infection then remediate. Also if the breach is confirmed or unknown, can consult security tm further action or even engaged third party for such forensic aspect. Breach notification is also not to be neglected as part to complying to local authority regulation, the security tm should know all these as part of their incident handling..

Author Comment

ID: 40474284
Seems closing a few ports in the on-premise firewall, securing admin accounts, and preventing RDP access has put a stop to the activity (for the past 10 days or so). At least we have a bit of a breather to pursue further mitigation.

Thanks for your suggestions!

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This guide is intended for migrating Windows 2003 Standard with Exchange 2003 to Windows Small Business Server 2008. You will need the following: Exchange Best Practice Analyzer: http://www.microsoft.com/downloads/details.aspx?FamilyID=DBAB201F-…
The problem of the system drive in SBS 2003 getting full continues to be an issue, even though SBS 2008 and SBS 2011 are both in the market place.  There are several solutions to this, including adding additional drive space or using third party uti…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question