Solved

cyrillic/russian text in windows explorer on Windows Server 2007 Standard

Posted on 2014-11-14
4
234 Views
Last Modified: 2014-12-01
Recently, it was brought to my attention that a server running Windows 2007 Standard edition randomly displays Russian webpages in the default browser without having launched the browser. It is also defaulting to Cyrillic text when typing in new folder names, or trying to type in the name of an executable in the Run line, or in typing text in Wordpad on the system. I noticed winrar (ru) was also installed as was Firefox (ru), both of which I uninstalled. I also ran TDSkiller and it found nothing. I ran MalwareBytes as well, with only a minor "Pup" object discovered. I also noticed a .txt file (2K in size) with a name in Russian, and the contents are also in Russian (I see some email addresses in it with @mail.ru. It appears to be a windows install log file of some sort.

I checked the Regional and Language settings in Control Panel and they are all set to the correct, US, settings.
I certainly want to find and remove the cause of what clearly appears to be an infection despite the inability of
the tools I have used to locate and remove it. However, I would first like to reset the Windows Explorer setting(s) that are causing anything I type to appear in the Cyrillic font type. So, any assistance on both the search for and removal of the infection, and the correction of the text would be greatly appreciated.
0
Comment
Question by:ks157
  • 2
4 Comments
 

Author Comment

by:ks157
ID: 40443277
Update since this initial post. I happened to log into this server again and noticed a user, "sys", also had an RDP session open (was the same user that had a few browser sessions running with the Russian websites). I checked the account in AD and it had "sys" for the first and last name. I am suspicious that this account was created by a hacker to gain access to the server (it was a member of domain admins). I disabled the account in AD and killed the RDP session. I also noticed (not sure if after these prior actions I mentioned) that the Cyrillic text has ceased and I can now type in Wordpad and explorer and it will appear in English text now, so it seems part of my initial requests have been automatically (best described perhaps as automagically) resolved. I still would appreciate some suggestions on searching out what appears to be malicious activity. I do not administer this system, I was asked to look at it. It also seems way behind on Windows patches, so that will be my next project while I wait for ideas on searching for infections.
0
 
LVL 78

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 250 total points
ID: 40444162
Time to enumerate all the administrative users and change all of their passwords. Unfortunately you have proof of being compromised, the backdoor may still be wide open and no machine in the network can be fully trusted as of now.
0
 
LVL 61

Accepted Solution

by:
btan earned 250 total points
ID: 40446627
It is clearly being compromised with such privileged account created, inform the security or sys admin in charge, isolate the system upon advice (e.g. remove the network cable), do not turn off machine as it is likely to kill off traces and start the tracing and damage assessment as this account activities will have started very early and laterally exploring the file server, database server and critical services at backend. The endpoint are also entry. They are probably trying to exfiltrate loot into the internet via callback via the compromised systems or even via email.

Also change the system login for the machine suspected to be the trail of this activities. This will include user enterprise and even their personnel online login cred as the saved password or during which browsing is done after this will likely be siphoned too.

You can also do a quick check on the hosts file to see if there are any new and suspicious addition (or even duplicate of "hosts" file which one is in unicode filename) likewise and on all browser whether there are any new and unknown plugins installed. The latter may be part of the package installation done recently or certain site (with mal-advertising) visited which you have allowing unknowing too..this can also include plugins for MS Office and Adobe Reader.

Nonetheless, AV scan and network security log analysis must ensure concurrently as damage can be spreading while the data leaking is ongoing. key now is to isolate, mitigate and analysis source of infection then remediate. Also if the breach is confirmed or unknown, can consult security tm further action or even engaged third party for such forensic aspect. Breach notification is also not to be neglected as part to complying to local authority regulation, the security tm should know all these as part of their incident handling..
0
 

Author Comment

by:ks157
ID: 40474284
Seems closing a few ports in the on-premise firewall, securing admin accounts, and preventing RDP access has put a stop to the activity (for the past 10 days or so). At least we have a bit of a breather to pursue further mitigation.

Thanks for your suggestions!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

The problem of the system drive in SBS 2003 getting full continues to be an issue, even though SBS 2008 and SBS 2011 are both in the market place.  There are several solutions to this, including adding additional drive space or using third party uti…
You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now