Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Webserver Messed up

  1. #1
    Member
    Join Date
    Sep 2004
    Posts
    77

    Webserver Messed up

    Here I explain the activity which I have noticed recently in our organization's webserver recently.

    The apache webserver is running on Windows 2003 protected by Symantec AV Corporate Edition. The virus definitions updated till 20th June.

    For the past several days outward packet transmission is quite high. The virus spotted were w32.toxbot making entries in the registry and detected as files dhcpclnt.exe and netddeclnt.exe in windows system folder.

    Though the virus have been cleaned after tweaking the registry but outward packet transmission is still quite high. The result a user sitting in Australia complaining our ISP that a machine from his IP range trying to port scan his computer.

    Really Netstat revealed that unknowingly to us a large no. of ports are opened from our machine (numbered beyond 1024) and trying to scan the internet.. yeah its true... the packets are being sent outwards randomly to IPs say xxx.xx.xxx.12 then xxx.xx.xxx.13 then xxx.xx.xxx.14 and so on Infinite times ... tying to open port EPMAP at the remote end machines. Syn-Sent to all those machines and waiting for reply.

    Has the webserver become netzombie, trying to amass an army of vulnerable machines over the internet creating a storm of unwanted packets over the internet.

    What may be the reason for it...'cauz no virus is detected by Symantec AV now..

    Help from the experienced minds at Antionline is solicited..

  2. #2
    Senior Member Cemetric's Avatar
    Join Date
    Oct 2002
    Posts
    491
    The apache webserver is running on Windows 2003 protected by Symantec AV Corporate Edition. The virus definitions updated till 20th June.

    For the past several days outward packet transmission is quite high. The virus spotted were w32.toxbot making entries in the registry and detected as files dhcpclnt.exe and netddeclnt.exe in windows system folder.

    Though the virus have been cleaned after tweaking the registry but outward packet transmission is still quite high.
    So did you update your antivirus to the latest virus defs ... because the 20th of June seems a while back now doesn't it ??

    If you look at this :

    Intelligent Updater:
    Virus Definitions created July 4
    Virus Definitions released July 4
    Norton AntiVirus Corp. Edition:
    Defs Version: 70704i
    Sequence Number: 46379
    Extended Version: 7/4/2005 rev. 9
    Total Viruses Detected: 69962

    LiveUpdate:
    Virus Definitions created June 29
    Virus Definitions released June 29
    Norton AntiVirus Corp. Edition:
    Defs Version: 70629h
    Sequence Number: 46247
    Extended Version: 6/29/2005 rev. 8
    Total Viruses Detected: 69903
    you can see that there are more recent virus defs out there.

    I don't think by tweaking you registry alone you get rid of these viruses.

    If I were you I would use an online antivirusscanner like TrendMicro and start from there ... then scan with antispyware tools and sorts ... most of the time adware and sorts can also be responsible for this kind of strange behaviour.

    Best you take your system off-line too ... scan it in safe mode to be sure to get rid of all nasties.

    And I think you better act quick , because if you look at this site you can see what this virus actually does and you should definetly update because this variant needs virus defs from:
    protection
    # Virus Definitions (Intelligent Updater) :July 01, 2005
    # Virus Definitions (LiveUpdateâ„¢) :July 06, 2005

    I'm sure the smart minds on AO will say more or less the same and perhaps give you some more pointers.

    [EDIT]

    Sum Up:

    - Update antivirus defs and rescan system (best offline)
    - Use antispyware tools and check again.
    - Be sure your system is completely clean and better protected before putting it back online.

    [/EDIT]

    C.[QUOTE]
    Back when I was a boy, we carved our own IC's out of wood.

  3. #3
    Member
    Join Date
    Sep 2004
    Posts
    77
    Yeah the webserver is offline right now. Updated the Virus definitions too to 4th July. Found couple of new virus files netlib.exe and other files w32.spybot etc. AV cleaned all of them. Trendmicro has also been tried before while Online.
    But anytime the system is put Online it sends out packets at extremely huge amount. THis is a complete mess, owing that the system is a webserver... we cant format it. Spybot Search and Destroy is also updated and tried along with McAfee's Stinger.
    BUt the problem still persists. ANy other wayout of this mess plz... it will be highly appreciated.

  4. #4
    Senior Member Cemetric's Avatar
    Join Date
    Oct 2002
    Posts
    491
    THis is a complete mess, owing that the system is a webserver... we cant format it
    So basicaly what your saying is that you don't have a backup incase things like this happen ??

    That would be .... dumb ... sorry to say.

    Anyway ...as it seems that these viruses/worms keep coming back they have to be coming from somewhere ...

    Did you delete everything from the temp folders (documents and setting and under windows and maybe even under the root) best do this under safe mode?

    Scanned it under safe mode as well?

    Try a process explorer like this one to see which processes are active.
    Also try to do a netstat -b to see which ports are opened by what executable or use a tool like this .

    Maybe hijack this (found here ) can bring you more insight .

    If you realy can't get rid of the pests there remains one solution... reinstall.

    Good luck,

    C.
    Back when I was a boy, we carved our own IC's out of wood.

  5. #5
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    Take the webserver offline. start it in safe mode and runa full system scan for viruses. The downtime sucks, but its better then getting blocked by your isp for constant port scanning. Make backups of all the important info, then nuke the box if you cant clean it.
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

  6. #6
    Member
    Join Date
    Sep 2004
    Posts
    77
    Thanks cemetric and XTC for your help. I am yet to remove the temp files and folders from the system.. May be the spyware is hidden in somewhere there. Thanks for your links to useful sites to check ports and processes.

  7. #7
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    If you look at the definition w32.toxbot point 7..

    It seems you "forgot" to update your server too..

    Don't take any chances.. Take the server off-line, backup the important stuff, reinstall from original media, update it.. restore the backup..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  8. #8
    Member
    Join Date
    Sep 2004
    Posts
    77
    After identifying and terminating some processes reported by Process Explorer as malware along with their thread trees. The activity subsided a lot.

    Hey there are a lot of exes and batch files in Windows, system and Administrator/local settings folders having awkward names like fg01.exe, isupvsr.exe...... These too seem to be spyware stuff. But after terminating and deleting ISTSVC.exe and MediaCtrlK.exe along with associated process trees and all the temp files which I could find the activity is under control. ... but dont know for how much time.

    Sirdice, I am trying to avoid all the executive formalities which will have to b fulfilled before proceeding towards backing up, formatting, and restoring the system. Because the site being hosted is crucial for the project and organization. Installing Service Pack 1 for window 2003 Server also. Maybe the luck will be on my side...

    Also tools suggested by Cemetric for scanning Ports and Processes are extremely helpful.. thanx again for that ..

  9. #9
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Originally posted here by gauravjulka
    Sirdice, I am trying to avoid all the executive formalities which will have to b fulfilled before proceeding towards backing up, formatting, and restoring the system.
    You're screwed already.. Cut your losses.. start over and learn from the mistakes you've made...
    There's no way to know what got changed, modified, backdoored whatever..

    None of the programs on that server are to be trusted.. Netstat is a nice tool but if someone 0wn3s your system it might have been modified..

    Because the site being hosted is crucial for the project and organization.
    It's probably also a good time to talk about backups, patch management etc....
    You now have some "ammo" to get the executives to fork out some cash...
    Invest it in a decent hardware firewall and backup equipment..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  10. #10
    Senior Member Cemetric's Avatar
    Join Date
    Oct 2002
    Posts
    491
    Also tools suggested by Cemetric for scanning Ports and Processes are extremely helpful.. thanx again for that ..
    No problem glad to help...but

    As I said before and as SirDice mentioned...

    You should of had backups and you should of started to rebuild your server from scratch ...

    That's a lot of should of's but again as SirDice mentioned also ... you can't trust any of those applications that runs on your system now since they could have been altered.

    The tools I provided the links for were just to give you a clue as what it is your system is infected with and then to use that information to stop it in the future from happening again... preferably on a newly build system.. but that's up to you offcourse.

    C.
    Back when I was a boy, we carved our own IC's out of wood.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •