Nasty Trojan / Virus HELP! :(

[Tedob1]

hey jared_c, what service packs are installed, if you don't remember type 'winver' in the run box.

after you figured out how it happened, don't even consider just changing your admin pwd. you HAVE TO reformat and reinstall. you have no idea whats been changed or added to your system. apply all service packs before you put it back on the internet. then go directly to windows updates and apply all the critical updates.

the guy selling porn from your box will just blow it off and keep on going, but the kiddies, whose playground you took away will be out for vengence.

[khakisrule]

khakisrule, thanks for the info, but the thing is I didn't install Serv-U. Whoever pulled this off did

LOL, sorry, but that really sucks. I was lucky, my trojan was never accessed, when I thought it was being used, I stopped using my net connection and looked to see if the green lights on my modem were flashing, they weren't. Eventually the trojan killed my computer anyways. Well, I've heard of people using programming langs to close sockets, that could work. I dunno though. Go through your folders and put any odd files in google and see what comes up. I didn't do that with system32.exe, but I'm gonna look at that now. ARE YOU BACKING UP!?! Make sure you do. And seriously though, let them upload their warez to you, and then keep it, instead put a small .txt file in your serv-u folder that laughs and swears in chinese. Thats better than JUST closing up your ports, better to have revenge. Maybe they even deleted their copies of the software when they uploaded it to you. BTW Didn't you notice 18 gigs that were missing????? And to the bum who swore at me for say NAV didn't detect my virus and that I was advocating it in another thread, I say this. No AV program is perfect, it depends on the virus, and it's popularity. The trojan I had may have been rare and so the Norton team in charge of updates never made a fix for it.

[Zadok0552]

You have received some really good advice here.

I was just directed to Anti-Trojan, and it is GREAT software!!! You get 15 days free, so it will help you with your efforts to eliminate any trojans and POTENTIALS for trojans.

www.antitrojan.net ---- Hey it checks the registry, too!

Like another poster had mentioned, you MAY have been hacked and Serv-U placed there by the hacker. You know - something as simple as an email attachement would do it.

Cheers,

Zadok

[jared_c]

nebulus200, I do have administrative shares and anonymous access restricted now. When things started getting strange I did that. Everyone here helped me out and suggested that be the first thing to do. I do not thing I have index service turned off.. What are the potential hazards in this? I do have all the latest service packs and patches installed. I use Windows Critical Notification as well. As for other things I have done to lock down, I have removed all sample files, and also unmapped extenstion from IIS that aren't being used such as htr, htw, etc.... No FTP services running have anonymous access enabled.

Tedob1, I guess that is what I am going to have to do. I will reformat and all that, but I want to get to the bottom of this while I can. Though I look at this as a real shitty thing to happen, I am also looking at it as a major learning experience to help prevent this from happening again. Also it gives me a view from the cracker's side by seeing what they have done.

khakisrule, thanks for the suggestions, but I want to use this box to host sites. I actually have a few on there now, that is why I am bugging out about this. I can't play around like that. If it was a personal comp, I would, but not a business comp. I do weekly backups, and everything is saved.

Now for more nitty gritty fun stuff. I just downloaded this really great tool called AATools. It tells me what processes are running on what ports. Currently I am running DNS, IIS, and PCAnywhere. Those are the only programs that should be using ports that are open to the internet.

Here is what is running on my system. Any ideas? Some ports seem pretty strange.

dns.exe is running on port 53 which is normal, however it is also running on: 1027, 1028, 102, I do not know if that is normal.
inetinfo.exe is running on port 25 and 80 which is normal, however it is also running on: 1031, 1033, 3456, I do not know if that is normal.
lsass.exe is running on 500. I do not know if this is normal
MsgSys.exe is running on 38037. I have no clue what this is. It is located in: C:\WINNT\System32\MsgSys.exe
MSTask.exe is running on 1026. This is the task scheduler, I don't know why it has an port open. It is located in: C:\WINNT\system32\MsgSys.exe
services.exe is running on 1030... I do not know if this is normal. It is located in: C:\WINNT\system32\services.exe
svchost.exe is running on 135
System is running on 445. It did not give me any application name.

Any ideas anyone? The inetinfo.exe running on 3456 seems really strange.

[nebulus200]

From the first site I referenced:

FTP Publishing Service inetinfo.exe IIS Admin Service Not Installed. Read More...

IIS Admin Service inetinfo.exe Protected Storage, Remote Procedure Call (RPC) Maybe. Read More... Automatic

The blkviper one...Highly recommend reading it to see if you can turn off more...

Didn't recognize the msg ones, you might want to look a little further into that one...
Task Scheduler MSTask.exe Remote Procedure Call (RPC) Never. Read More... Automatic Automatic Manual Disabled Disabled Disabled
Should be running as MSTask not MSgSys...typo ?


M$ has an interesting habit of making its programs run back to itself (loopback) to do other tasks. I would be interested to know how many of those ports are to loopback or IP Addr 127.0.0.1 and how many were listening (IP Addr 0.0.0.0 or listen)
Those > 1024 ones should be...

Fport...
first thing that turned up in google (used cached page):
http://216.239.51.100/search?q=cache...hl=en&ie=UTF-8

38037
UDP C:\WINNT\System32\MsgSys.EXE

MsgSys.exe ? This program opened port 38037 when the Norton Antivirus Client was started as a service. In checking the properties of this file, it was actually created by Intel. A thorough search of Intel?s web page regarding this file revealed nothing. A search of the disk drive showed that this file was indeed installed during the installation of Norton Antivirus software.

That article was pretty good and should give you a rough idea of how to search around...

The indexing service had a buffer overflow vulnerability with it and was turned on by default in Win2k installations (even without IIS running). If your patches are up to date you should be ok, if they weren't before the funky stuff started happening, that is another avenue that someone might have gotten in...

The basic problem is you unfortunately waited too long to turn up the security on your box. I would recommend backing up your web pages, sorting through them to make sure no scripts or files have been altered, rebuild your server, and then dump the pages back over. That is the only way you are going to be sure that your box isn't still owned...

Hope that helps,


Neb

[jared_c]

Thanks everyone you have been a big help. Neb, thank you for all the links. They are becoming very useful.

Does anyone know of a good Windows 2000 Server startup registry editor? I still can't figure out what is creating that text file with the information when I boot.

[jayle]

I would be curious to know if the SanTuo.txt file re-appears if you disconnect the computer totally from the web. I know that some people have suggested an external influence may be creating this file, and this test may prove or disprove that theory. Also, and this is going to sound insane, but try temporarily write protecing the area where the file gets written to. There is an outside chance that Windows will return an error, and you can see what process is causing the write (hey, I said it was a stretch!)

[nebulus200]

If memory serves:
regedt32:
HKLM\Software\Microsoft\Windows\Run\

Might also look under (but probably not)
HKLM\Software\Microsoft\Windows\RunOnce
HKLM\Software\Microsoft\Windows\RunOnceEx

And yes, that was off of a Win2k box...windows is windows I guess...


Neb

[zigar]

my fav reg tool is regcleaner from http://www.jv16.org/ ....you can edit reg'd software...startup..uninstall menu...file assoc...shell extensions...new file context ...

best of all...it's free

[khakisrule]

I would be curious to know if the SanTuo.txt file re-appears if you disconnect the computer totally from the web. I know that some people have suggested an external influence may be creating this file

Unlikely, this is probably a replicating trojan. I had 'em, they're mean and hard to et rid off until you find the file that is recreating them. BTW also try sysedit and find files that run on startup, and see if they look suspicious. I don't know if sysedit works in win2k but ir probably does.