Nasty Trojan / Virus HELP! :(

[jared_c]

I can't find any information on this. As a lot of you know, I have been having some network problems recently. Well, I think I found out the problem. My Windows 2000 Server machine has been ifnected by a nasty Trojan / combo of Trojans.

I posted a few weeks ago about weird login attempts into my FTP. Specifically people trying to log in as weird names such as "spring" and "upload". I also mentioned they were coming from China IP Addresses.

Well lately I have been having major bandwidth problems. My web server was sending and recieving so much data that my entire 1 mbps DSL connection was screwed. I was getting ping replie of over 1500 ms. Terrible.

So I started messing around with the web server. I noticed that right before the web server shutsdown the ping reply quick went back to normal. Same as when the server is started. It would be excellent ping time, then about a minute later after all the services started the ping reply would turn to crap again.

I went through my windows services, and started stopping them one by one while i did a constant ping from outside the network. I got to one service and stopped it, suddenly the ping turned back to normal. That service was the culprit. Turns out it was Serv-U FTP by Rhinosoft. Running secretly in the background on some really high port. After I looked into it more, I found out there was a hidden folder on my hard drive called download which contained over 14 gigs of Chinese porn movies.

I uninstalled Serv-U. Typically the program was built to look like it was a professional useful program, but every knows that it is made to be used by crackers. Just like BO2K. with options to hide the fact that it is running. Anyway I remove that, delete all the porn.

Then I find a txt. file named: SanTuo.txt in my c: drive which contains the admin login, password, and server name. I delete it, but when I restart the text file is re-written. I tried doing research about this file in google, but I only get a result of about 10 chinese web sites. Could this possibly be a Trojan that has not been picked up yet? I have Norton AntiVirus Corporate Edition installed on the servers as of yesterday, but it doesn not pick up any viruses or trojans. I did a full system scan, and nothing.

So basically does anyone have any information on a virus/trojan that creates a text file: SanTuo.txt? I searched the forums, and nothing. I searched other security sites such as securityfocus.com and came up with nothing. Pretty freakin nasty. I want to get to the bottom of this before I change my admin password.

I am boggled about how this person got it installedon the system. I have locked down the computer a lot after the installation date, thanks to the help of o guys, so it was installed before I started locking down the box. Previously NETBIOS over TCP/IP was enabled, but I am not sure if that is how the person was actually able to run and install that trojan.

Any help would be appreciated. Crazy stuff. I never thought securty would get so complex.

[khakisrule]

Yup, I've gotten trojans that rewrite themselves too. I got rid of one by making sure there were no registry keys related to that program. Then I did a thorough search of the computer for unknown files. Then I got a program to let me customize my startup, I found the file that was recreating the trojan and deleted it. Best chance is to do that, try looking through your computer for anything that looks unusual, like system32.exe, thats what I had. You might want to try retstarting in safe mode to run the program and also release your IP, you don't want to run the risk of letting somebody into your computer. And make sure you look through the registry, do you have win2k? I don't know if win2k has a registry, probably does though. BTW got any porn left? j/k

EDIT: BTW my NAV never detected the virus before, I scan every program that I run, and NAV never said a thing. And even later, when I ran a port scanner and found some unexplained open ports, and realized system32.exe which I has become suspicious about was a trojan, I did a full computer AV scan, still nothing from NAV. I don't know why that is, in the end, my computer became slow and laggy, my ram was being used for no reason, and my h/d would start spinning, my whole computer screwed up. I had to reinstall windows. SO... BACKUP YOUR IMPORTANT DATA NOW!! I wish I had.

[Maverick811]

Has a detailed virus scan not cleaned up your server? That's odd, unless you have gotten a hold of some new undiscovered trojan/virus. I would take the advice of khakisrule, and start looking into your registry for your answers. You may want to try running a registry cleaner, in hopes that it will detect a bad key. It may take some time, but I'd start sifting through the main system folders such as WINNT, WINNT\system, etc, with the Show All Files option turned on and see if you see anything strange. You are obviously still infected with something, it's going to take some digging to find it. Update your DAT files for your AV software, and do a complete scan. I'm quite surprised AV software hasn't picked this thing up.

[DjM]

jared - there is another possibility. This might not be a Trojan at all, you may have be hacked and all this stuff your finding is being put their manually. Is this box behind a firewall?

Cheers:

[alittlebitnumb]

There are FXP groups out there that hijack FTP's for warez, pr0n and the like, and your server could have been hijacked by a person scanning around for open FTP's, finding an opening and upping the files. I do not know how this is done exactly, but I have seen many FXP boards with people scanning, tagging and looking for places to trade this stuff with the quickly depleting resources for posting warez and the like. What bothers me is the text file that is present with your admin pass and other sensitive info in plain text...

Port sniffer, perhaps? If it is a port sniffer, then it would be possible to grab your admin pass then use the machine for whatever you want good permissions or not.

Also, or additionally,

With many exploits for IIS, somebody might have used one of these exploits, made an exploit (more likely the former) to gain access to your machine. As for ServU, somebody might have upped the file in the FTP directory with the modified/poor permissions, installed it remotely, and used that server on a high port to evade your detection; and why not? ServU is not detected on AV anti-trojan anyway, and if I were a warez puppie, that would be ideal...

And if a trojan was upped, there are 1500-2000 trojans and its variants out there and would be kind of difficult to determine what it was in the first place, especially if the attacker removed the server after gaining access to the FTP to serve Orietal pr0n.

However, I could be wrong, but keep us posted. This could be interesting...

[khakisrule]

Serv-u has quite a few exploits, I've heard of plenty, I reccomend you stop using it. Try using the xitami server, it has an http server as well as an ftp server. Its secure and only a handful of exploits have ever been discovered for it. And as for hijacking servers, I would say, find a way to contain the damage, and then let them do it, get all the software you can, wait about 2 days to see if they upload anymore to you and then cut them off with a reinstalled firewall. Make sure to uninstall serv-u. It just isn't that secure.

[jared_c]

It is not behind a firewall... I wish it was, and I want it to be.. but I am having so much trouble finding one that will work with my setup. Maverick, I checked the one you mentioned out, and customer support said SOHO won't do what I need. I would have to get a different model, and I can't afford it.

One thing I noticed in services, there are a lot of services running using c:\winnt\system32\svchost.exe they have -k netsvcs after them. Looks a little strange to me. Any ideas?

[qwerty_smith]

i have some suggestions to help reap some info.

Active Ports, Smartline, inc.
http://www.majorgeeks.com/article.php?sid=682
this one should show all open ports on the machine

Adaware, Lavasoft
http://www.lavasoftusa.com/
should identify anything nw added to registry etc.

Trojan Remover
http://www.simplysup.com/
should find things that look like trojans CAUTION: may find things that are not trojans

hope this helps…

[jared_c]

khakisrule, thanks for the info, but the thing is I didn't install Serv-U. Whoever pulled this off did. I am guessing that is how the trojans got on here to, probably by exploits through that. I think things are a lot better than they were, but now I am cleaning up all the mess, and trying to make sure my system is clean. I'm going to go download a startup editor so I can view the registry keys, and other things that startup at boot. The thing is there are so many services under Windows services right now I don't know what ones are legit, and what ones aren't. Sucks.

[nebulus200]

http://www.blkviper.com/WIN2K/win2k.htm

Good about listing which services there are and whether you need them or not. Most of the calls to service are probably legit, not really sure why M$ does it that way, but it does do it alot. If you have any other spare machines around, you might could install a regular copy of win2k and use it as a baseline to compare with what you have...

There are also some tools available that will allow you to see what ports you have opened on your system, what process is using them, etc. Those can be helpful in detecting trojan's.
There are some somewhat helpful tools at :
www.incident-response.org/windows.htm


Now as to what originally happened, you mentioned you had netbios over tcp/ip turned on. Do you have your administrative shares and anonymous access restricted ? That would definitely be a way in...I am assuming you are using IIS as the web server...how much securing did you do ? Did you turn off index service, did you have all the latest patches, etc ?

Neb