Avast WEBforum
Business Products => Archive (Legacy) => Avast Business => Avast Server Protection => Topic started by: csmith on March 12, 2006, 10:40:01 AM
-
Just did a scan on my Win 2000 server and it came up with a virus which it said it could not deal with.
The path/file was given as
C:\WINNT\system32\os2\com\con\prn\iosys\site\0day_0730\Active.WebCam.v5.0.Cracked.WinAll-CPHV\cphv1acw.zip\Active.WebCam.v5.0.Cracked.WinAll-CPHV.part1.rar\crack\WebCam.EXE\[ASPack]
But in fact this structure only goes down as far as
C:\WINNT\system32\os2\
If I drop the full path name into windows explorer it says 'error'
I'm using avast! 4 Server Edition, (2 years) since Oct 05
It actually found two others also at the same time which it put in the chest and I then deleted .. they were
C:\WINNT\system32\os2\com\con\prn\iosys\site\0day_0730\River_Past_Screen_Recorder_v5.0.3_Incl_Keygen-UCF\ucfsr503.zip\keygen.exe
and
C:\WINNT\system32\wbem\ser.exe
Any suggestions about this .....
Thanks
Chris
-
Well, I'm not sure if it's really a virus (what was the exact malware name reported?) - but it seems that your server is being abused for unauthorized software distribution - there may be a lot of illegal software in these folders.
The path uses reserved filenames (con, prn) and it's not possible to manipulate the files in the ordinary way (e.g. using Explorer). Try to use the command line (cmd.exe) and prefix the path with \\?\ - you should be able to access it that way.
You may want to delete the whole folder C:\WINNT\system32\os2, I think?
-
Looks like something fishy is definitely going on there... The "con" in the pathname is a clear indication that someone/something is trying to HIDE some data on your hard drive... I'd recommend also looking at which TCP/IP ports are open - use e.g. tcpview to get a basic overview http://www.sysinternals.com/Utilities/TcpView.html
Thanks
Vlk
-
Am having to split my message as too long for forum ... so please see both parts
YES ... I've definately been hijacked .... hopefully the information below can help you advise me what to do ......
Have used TCPView (Thanks.. I didn't know of this utility)
and the results are
aspnet.exe:584 TCP iesf:40000 iesf:0 LISTENING
ctfmon.exe:684 TCP iesf:3068 iesf:0 LISTENING
ctfmon.exe:684 TCP iesf:31909 iesf:0 LISTENING
dnsadm.exe:788 TCP iesf:2200 iesf:0 LISTENING
eventlog.exe:824 TCP iesf:8899 iesf:0 LISTENING
IBackground.exe:1832 TCP iesf:1052 iesf:0 LISTENING
IBackground.exe:1832 TCP iesf:1052 ibackup.com:https CLOSE_WAIT
inetinfo.exe:1272 TCP iesf:ftp iesf:0 LISTENING
inetinfo.exe:1272 TCP iesf:smtp iesf:0 LISTENING
inetinfo.exe:1272 TCP iesf:http iesf:0 LISTENING
inetinfo.exe:1272 TCP iesf:https iesf:0 LISTENING
inetinfo.exe:1272 TCP iesf:1043 iesf:0 LISTENING
inetinfo.exe:1272 TCP iesf:9149 iesf:0 LISTENING
inetinfo.exe:1272 UDP iesf:1044 *:*
inetinfo.exe:1272 UDP iesf:3456 *:*
inetinfo.exe:740 TCP iesf:1028 iesf:0 LISTENING
inetinfo.exe:740 TCP iesf:1032 iesf:0 LISTENING
inetinfo.exe:740 TCP iesf:1036 iesf:0 LISTENING
inetinfo.exe:740 TCP iesf:30001 iesf:0 LISTENING
inetinfo.exe:740 TCP iesf:1027 iesf:0 LISTENING
inetinfo.exe:740 TCP iesf:1027 localhost:1028 ESTABLISHED
inetinfo.exe:740 TCP iesf:1028 localhost:1027 ESTABLISHED
inetinfo.exe:740 TCP iesf:1031 iesf:0 LISTENING
inetinfo.exe:740 TCP iesf:1031 localhost:1032 ESTABLISHED
inetinfo.exe:740 TCP iesf:1032 localhost:1031 ESTABLISHED
inetinfo.exe:740 TCP iesf:1035 iesf:0 LISTENING
inetinfo.exe:740 TCP iesf:1035 localhost:1036 ESTABLISHED
inetinfo.exe:740 TCP iesf:1036 localhost:1035 ESTABLISHED
inetinfo.exe:768 TCP iesf:1026 iesf:0 LISTENING
inetinfo.exe:768 TCP iesf:1030 iesf:0 LISTENING
inetinfo.exe:768 TCP iesf:1034 iesf:0 LISTENING
inetinfo.exe:768 TCP iesf:30003 iesf:0 LISTENING
inetinfo.exe:768 TCP iesf:1025 iesf:0 LISTENING
inetinfo.exe:768 TCP iesf:1025 localhost:1026 ESTABLISHED
inetinfo.exe:768 TCP iesf:1026 localhost:1025 ESTABLISHED
inetinfo.exe:768 TCP iesf:1029 iesf:0 LISTENING
inetinfo.exe:768 TCP iesf:1029 localhost:1030 ESTABLISHED
inetinfo.exe:768 TCP iesf:1030 localhost:1029 ESTABLISHED
inetinfo.exe:768 TCP iesf:1033 iesf:0 LISTENING
inetinfo.exe:768 TCP iesf:1033 localhost:1034 ESTABLISHED
inetinfo.exe:768 TCP iesf:1034 localhost:1033 ESTABLISHED
inetservice.exe:892 TCP iesf:3333 iesf:0 LISTENING
inetservice.exe:892 TCP iesf:4068 iesf:0 LISTENING
inetservice.exe:892 TCP iesf:41909 iesf:0 LISTENING
LSASS.EXE:268 UDP iesf:isakmp *:*
msdtc.exe:1284 TCP iesf:1042 iesf:0 LISTENING
mstask.exe:1064 TCP iesf:1037 iesf:0 LISTENING
scvhost.exe:1056 TCP iesf:8787 iesf:0 LISTENING
sqlservr.exe:992 TCP iesf:ms-sql-s iesf:0 LISTENING
sqlservr.exe:992 UDP iesf:ms-sql-m *:*
svchost.exe:440 TCP iesf:epmap iesf:0 LISTENING
svchost.exe:440 UDP iesf:epmap *:*
System:8 TCP iesf:microsoft-ds iesf:0 LISTENING
System:8 TCP iesf:1045 iesf:0 LISTENING
System:8 TCP iesf:http firewall.conserveschool.org:64038 ESTABLISHED
System:8 TCP iesf:http firewall.conserveschool.org:64040 TIME_WAIT
System:8 TCP iesf:http firewall.conserveschool.org:64052 ESTABLISHED
System:8 TCP iesf:http c-24-14-148-204.hsd1.il.comcast.net:59342 TIME_WAIT
System:8 TCP iesf:http c-24-23-4-210.hsd1.ca.comcast.net:4860 ESTABLISHED
System:8 TCP iesf:http px3so.cg.shawcable.net:49816 ESTABLISHED
System:8 TCP iesf:http 58-186-9-xxx-dynamic.hcm.fpt.vn:17078 ESTABLISHED
System:8 TCP iesf:http 58-186-9-xxx-dynamic.hcm.fpt.vn:17096 ESTABLISHED
System:8 TCP iesf:http pm2-cwco-64-71-208-83.havilandtelco.com:3339 TIME_WAIT
System:8 TCP iesf:http ip68-4-82-226.oc.oc.cox.net:4694 ESTABLISHED
System:8 TCP iesf:http proxy.newingtoncollege.nsw.edu.au:9062 ESTABLISHED
System:8 TCP iesf:http ip70-161-65-125.hr.hr.cox.net:2963 TIME_WAIT
System:8 TCP iesf:http ip70-161-65-125.hr.hr.cox.net:2997 ESTABLISHED
System:8 TCP iesf:http ip70-161-65-125.hr.hr.cox.net:3000 ESTABLISHED
System:8 TCP iesf:http mail.ycis.edu.hk:1164 ESTABLISHED
System:8 TCP iesf:http mtl-a46-041:4914 TIME_WAIT
System:8 TCP iesf:http fj5011.inktomisearch.com:52670 TIME_WAIT
System:8 TCP iesf:http fj5011.inktomisearch.com:54872 TIME_WAIT
System:8 TCP iesf:http bbcache-8.singnet.com.sg:9026 ESTABLISHED
System:8 TCP iesf:http bbcache-9.singnet.com.sg:5862 ESTABLISHED
System:8 TCP iesf:http bbcache-10.singnet.com.sg:53944 TIME_WAIT
System:8 TCP iesf:http bbcache-10.singnet.com.sg:54620 ESTABLISHED
System:8 TCP iesf:http bbcache-11.singnet.com.sg:57310 TIME_WAIT
System:8 TCP iesf:http gw.pool-2.nat.net.kht.ru:4443 ESTABLISHED
System:8 TCP iesf:http gw.pool-2.nat.net.kht.ru:5345 ESTABLISHED
System:8 TCP iesf:http gw.pool-2.nat.net.kht.ru:5948 ESTABLISHED
System:8 TCP iesf:http 195.245.109.122:48225 TIME_WAIT
System:8 TCP iesf:http 195.245.109.122:48294 TIME_WAIT
System:8 TCP iesf:http 195.245.109.122:48323 TIME_WAIT
System:8 TCP iesf:http 195.245.109.122:48488 TIME_WAIT
System:8 TCP iesf:http 195.245.109.122:48708 TIME_WAIT
System:8 TCP iesf:http 195.245.109.122:48762 TIME_WAIT
System:8 TCP iesf:http 195.245.109.122:48882 TIME_WAIT
System:8 TCP iesf:http 195.245.109.122:48907 TIME_WAIT
System:8 TCP iesf:http 195.245.109.122:48927 TIME_WAIT
System:8 TCP iesf:http 195.245.109.122:48930 TIME_WAIT
System:8 TCP iesf:http 195.245.109.122:48936 TIME_WAIT
System:8 TCP iesf:http 195.245.109.122:48964 TIME_WAIT
System:8 TCP iesf:http 195.245.109.122:48966 TIME_WAIT
System:8 TCP iesf:http 195.245.109.122:48995 TIME_WAIT
System:8 TCP iesf:http 195.245.109.122:49001 TIME_WAIT
System:8 TCP iesf:http 195.245.109.122:49008 TIME_WAIT
System:8 TCP iesf:http 195.245.109.122:49015 TIME_WAIT
System:8 TCP iesf:http 202.128.229.45:29675 ESTABLISHED
System:8 TCP iesf:http lj9059.inktomisearch.com:52729 TIME_WAIT
System:8 TCP iesf:http lj9059.inktomisearch.com:52759 TIME_WAIT
System:8 TCP iesf:http lj9115.inktomisearch.com:49744 TIME_WAIT
System:8 TCP iesf:http lj9115.inktomisearch.com:49933 TIME_WAIT
System:8 TCP iesf:http cache-ntc-ac06.proxy.aol.com:44648 TIME_WAIT
System:8 TCP iesf:http 202.163.208.30:2363 ESTABLISHED
System:8 TCP iesf:http 202.163.208.30:2420 ESTABLISHED
System:8 TCP iesf:http 202.163.208.30:2451 ESTABLISHED
System:8 TCP iesf:http proxy5-14.adl2.internode.on.net:18679 ESTABLISHED
System:8 TCP iesf:http proxy5-14.adl2.internode.on.net:19030 ESTABLISHED
System:8 TCP iesf:http proxy6-14.adl2.internode.on.net:18858 ESTABLISHED
System:8 TCP iesf:http proxy7-14.adl2.internode.on.net:23159 ESTABLISHED
System:8 TCP iesf:http 203.210.245.216:57945 ESTABLISHED
System:8 TCP iesf:http 203.210.245.216:51420 ESTABLISHED
System:8 TCP iesf:http adsl.hnpt.com.vn:48634 ESTABLISHED
System:8 TCP iesf:http adsl.hnpt.com.vn:48040 ESTABLISHED
System:8 TCP iesf:http wttaos01.imsbiz.com:57952 TIME_WAIT
System:8 TCP iesf:http pool-71-252-226-75.dllstx.fios.verizon.net:61405 TIME_WAIT
System:8 TCP iesf:http pool-70-107-168-252.ny325.east.verizon.net:4771 ESTABLISHED
System:8 TCP iesf:http 203.210.245.216:40456 ESTABLISHED
System:8 TCP iesf:http adsl.hnpt.com.vn:35946 TIME_WAIT
System:8 TCP iesf:netbios-ssn iesf:0 LISTENING
System:8 UDP iesf:microsoft-ds *:*
System:8 UDP iesf:netbios-ns *:*
System:8 UDP iesf:netbios-dgm *:*
System:8 TCP iesf:http pm2-cwco-64-71-208-83.havilandtelco.com:3405 TIME_WAIT
System:8 TCP iesf:http pool-70-107-168-252.ny325.east.verizon.net:4772 TIME_WAIT
System:8 TCP iesf:http egspd42239.ask.com:41943 TIME_WAIT
System:8 TCP iesf:http adsl.hnpt.com.vn:24114 ESTABLISHED
System:8 TCP iesf:http 203.15.122.35:35745 ESTABLISHED
System:8 TCP iesf:http adsl.hnpt.com.vn:11724 ESTABLISHED
System:8 TCP iesf:http 203.15.122.35:12649 TIME_WAIT
System:8 TCP iesf:http cache6.syd.ops.aspac.uu.net:11525 TIME_WAIT
System:8 TCP iesf:http cache4.syd.ops.aspac.uu.net:28285 ESTABLISHED
System:8 TCP iesf:http 203.15.122.35:52425 ESTABLISHED
System:8 TCP iesf:http 203.15.122.35:34562 ESTABLISHED
System:8 TCP iesf:http 203.15.122.35:21624 ESTABLISHED
System:8 TCP iesf:http 202.138.134.149:49820 TIME_WAIT
System:8 TCP iesf:http pm2-cwco-64-71-208-83.havilandtelco.com:3410 ESTABLISHED
System:8 TCP iesf:http proxy3.utas.edu.au:57172 TIME_WAIT
System:8 TCP iesf:http 70.27.166.146:51393 ESTABLISHED
System:8 TCP iesf:http ip-69-33-143-130.nyc.megapath.net:1174 ESTABLISHED
System:8 TCP iesf:http ip-69-33-143-130.nyc.megapath.net:1173 ESTABLISHED
System:8 TCP iesf:http ip-69-33-143-130.nyc.megapath.net:1172 TIME_WAIT
System:8 TCP iesf:http proxy.newingtoncollege.nsw.edu.au:9087 FIN_WAIT1
Tapii.exe:1092 TCP iesf:1 iesf:0 LISTENING
WinVNC.exe:1180 TCP iesf:5800 iesf:0 LISTENING
WinVNC.exe:1180 TCP iesf:5900 iesf:0 LISTENING
WinVNC.exe:1180 TCP iesf:5900 p627-adslbkksp13.c.csloxinfo.net:1312 ESTABLISHED
===================================
My problem is I do not understand what I'm looking at here.
I do not know how to close/open ports
There is definately something strange going on with the server as my ISP just sent me a warning
I've postered their warning at
http://www.shambles.net/avast/ispwarningmarch06.txt
which might be helpful to see what the malware? is doing.
In fact my ISP has given me 48 hours to solve this or they are pulling the plug
=====================================
-
PART TWO of post
=====================================
I'm using my server (Win2000 server SP2) as a web server
Win 2000 IIS
I use remote backup to a company iBackup to make backups
I use VNC to remotely manage the machine myself
I use WS_FTP for uploading/downloading files
SQL database is running
Visitor to the website are allowed to use a form to upload suggested website details for me to add
see example form at the bottom of the page
http://www.shambles.net/pages/learning/infolit/startpage/#addalink
The server is dedicated & is in a datahosting centre
Other strange anomolies I've noticed
When I restart the machine .... the prompt window has "log off administrator" rather that "Restart Machine" ... which it has always been at when restarting (remotely) for the last 3 years .... I'm a 1,000 miles away from the server physically.
Also noticed twice that that when I've recently shutdown the machine remotely (with RESTART) it has prompted me to say that there is another user online ... I've never seen that before ... but it did get the adrenalin flowing. (still is)
Today when I connected I found that although AVAST server was installed all the modules has been switched off !!!! .... in fact I only use the standard one anyway
===================================================
I've just switched it back on and and now doing another "Thorough Scan"
including archived files
Virus Database 0611-0, 03/14/06
RESULTS ARE (viruses found)
=====================
File Name: C:\WINNT\system32\os2\com\con\prn\iosys\site\0day_0730\Active.WebCam.v5.0.Cracked.WinAll-CPHV\cphv1acw.zip\Active.WebCam.v5.0.Cracked.WinAll-CPHV.part1.rar\crack\WebCam.EXE\[ASPack]
Malware Name: Win32:Crypto
Malware Type: Virus/Worm
VPS version: 0611-0, 03/14/2006
Action .. DELETED Permanently (except final results say ERROR .. cannot delete)
=====================
File Name: C:\WUTemp\Tool\ser.exe
Malware Name: Win32:Trojan-gen. {Other}
Malware Type: Virus/Worm
VPS version: 0611-0, 03/14/2006
Action .. DELETED Permanently .. seemed successful
====================
FINAL RESULTS OF SCAN
(Drat I cannot seem to 'right click' to copy&past)
Quite a number of files are shown as 'cannot scan'
SO copied using Screen Shots
see
http://www.shambles.net/avast/screen1.jpg
and
http://www.shambles.net/avast/screen2.jpg
======================
======================
I've just read about
Win32.Crypto
at
http://www.avp.ch/AVPVE/newexe/win32/crypto.stm
and it sounds all doom and gloom ;-(
but does not tell me how to get rid of it .. or repair what it has done.
=======================
MORE INFO
When I look in the folder
C:\WINNT\system32\os2
(a)
I find a file oso001.009
with propertie
type of file: "009 FILE"
size 105KB
(b)
I find a folder named "dll"
and inside are two files
"doscalls.dll"
type of file: application extension
size 12,646 bytes
and
"netapi.dll"
type of file: application extension
size 247,860 bytes
====================================
Finally
In the TASK Manager
Applications running are
see
http://www.shambles.net/avast/screen3.jpg
Processes are
see
http://www.shambles.net/avast/screen4.jpg
and
http://www.shambles.net/avast/screen5.jpg
=====================================
Sorry this is rather long .... but trying to consider all the information that might help you help me with what to do.
Thanks
Desperately fighting panic ;-(
Chris
Actually I do like your prompt when AVAST finds something wrong ... "No Need to Panic" ;-)
-
Sorry Guys
A third part to this posting .. more info
I had a look at the User Profiles
see screen shot at
http://www.shambles.net/avast/userprofiles16march06.jpg
I don't remember seeing this
TsInternetUser
profile before .... but that might just be because I've not noticed it and it's been there all the time.
Also now when I go to the Control Panel
I cannot find a "Users and Passwords"
icon in the options ... it's not there.
Thanks
Chris
-
I've found a whole bunch of exe files in
C:\WUTemp\Tool
see screenshot at
http://www.shambles.net/avast/WUtemp_screenshot.jpg
Can I just delete all of these?
They may be part of my problem
Chris
-
C:\WUTemp\Tool
Files on this path could be deleted.
They belong to temporary Windows updates. They will be regenerated when you go to windows update site again ;)
-
Really disappointed with the support this time from the Avast Team
Avast (server edition) seems to have allowed Win32:Crypto virus/worm into my server and doesn't seem to be able to do anything about it now here.
I had higher expectations especially after the initial installation help.
Chris
???
-
Well, I really don't think that the virus is your problem.
According to the path, the malware is stored in a RAR archive - so there's no surprise about avast! not detecting it previously (the Standard Shield doesn't scan RAR or similar archives when writing by default - it would slow down your system very badly). It also means that you are not infected - the virus inside of a RAR archive is not dangerous. (Actually, it might not really be a virus at all - these warez releases are usually packed with very strange packers, and it may even be a false alarm on a crack file... but that's not the point here).
You should delete the whole C:\WINNT\system32\os2\com folder, including subfolders (or even C:\WINNT\system32\os2, I'm not sure if this folder belongs to Win2000 system) - it might contain gigabytes of illegal software.
Then, you should secure your system regarding network access. I'm no expert on network stuff, so I don't know how the stuff got uploaded to your server and how it's downloaded from there - could be misconfigured FTP, web server, or even some remote control stuff...
-
Also, is the server fully patched? This might be a warez problem allowed by unpatched IIS...
-
When I did a W2K Server install a few years ago, before I was even finished someone found the server and started uploading their 'downloads' onto it. I had the latest versions of the most popular movies that were just released to the theatres. I just couldn't get to them.
The first W2K Server releases did not have Security set by default, meaning anyone could do anything on it from anywhere. Like you, It was very difficult to find the files and they could not be accessed because of their length.
I fixed it by taking it off of the Network, formatting and reinstalling, install all Service Packs and Security features and secure firewalls, then plugging it back into the network. It was much quicker then trying to undo the damage, not knowing the extent of the damage.
-
Better Late Than Never
Just to report back that I did delete everthing in the folder
C:\WINNT\system32\os2 ...
and there were no bad effects ... all rubbish files put there by someone.
Did some more scans to check the disk clean.
.. and all has been OK since then .... until the next hacker ;-(
Thanks to those who helped with the suggestions .......
I have been very pleased with avast! Server Edition but I may well be moving to a managed hosting facility where someone will take over the security role ...