-
February 10th, 2006, 07:09 AM
#1
Server hacked or What?
Hi Gals/Guys
My server is behaving very strangely from last 3 days. What happening is that it get restarted automatically after showing that screen of memory dumping. I checked the services and found that few of them are really strange although some of them were disable but they really look fishy.
I have attached the snapshot of the services.
I asked my Manager about this and he told me that this happened 5 months ago and he had to re-install the OS ‘cause he couldn’t find a solution to rectify this problem. Apart from services I am also attaching few of the logs which look really strange to me. Hope you people can help me.
My AV is updated, windows is also updated, I have scanned the system 2-3 times for viruses, Microsoft antispyware is also running.
Operating System is Windows 2003.
Awaiting your replies
One machine can do the work of fifty ordinary men. No machine can do the work of one extraordinary man!
-
February 10th, 2006, 08:21 AM
#2
Okay heres what I'm seeing(going to be doing some talking out loud so bear with me). The first unusual happenstance is at 2/10/2006 10:28:49, where a computer with the hostname of "FAIZA$" attempts to connect. Simultaneusly the MCshield service fails. I know that its a multi-proc system so it is entirely possible. Don't know if thats related.
There seem to be a lot of invalid users trying to connect. Do you have firewall logs as well? Because then we could check to see if these users are coming from the same IP/MAC address.
Heres the list of users that are invalid:
KHIDAYAT
IHAFEEZ
MUNAZZA
IMRANYOUNUS
TEHSIN
ZIAULHAQ
KNAFEES
(note this list is by no means complete)
And those names repeat quite often.
Hmm, strange, yet another "stop error" occurred when the user FAIZA tried to connect...
This could also be a problem: "The CPUs in this multiprocessor system are not all the same revision level. To use all processors the operating system restricts itself to the features of the least capable processor in the system. Should problems occur with this system, contact the CPU manufacturer to see if this mix of processors is supported."(bold added by yours truly)
The many, many, many attempts to connect by unauthorized users worry me. If you have firewall logs and tcpdump/windump information we would be able to help you better. Of course also follow up on the processor problems. I think thats the most likely issue.
-
February 10th, 2006, 08:28 AM
#3
Ok... as far as services go...
WTF is a Gray Pigeon Server?
WTF is Chong3 Me?
Just curious... I don't work with Windows too often, but these seemed odd....
-
February 10th, 2006, 09:12 AM
#4
Both the services are virus attempts that i managed to disable.
Locked
All these are my internal users.... I mean authorized users. I am not sure my i am receiving this invalid users, they are defined in AD and as well as DNS
One machine can do the work of fifty ordinary men. No machine can do the work of one extraordinary man!
-
February 10th, 2006, 10:24 AM
#5
There are some funny services there which are disabled but i see your mcsheild is
getting terminated check that you don't have anything running on the machine that
is not suppouse to be there.
There seems to be a whole bunch of netlogon failures and sign on failures.
Some of these errors suggest your client tries to sign or seal the
secure channel or something to that extent. I would check and try to disable
"Digitally encrypt or sign secure channel data (always) policy". I could be way
off but check your secure logons anyway.
Also another error suggest that machine account failed to authenticate, which is
usually caused by either multiple instances of the same computer name, or the
computer name has not replicated to every domain controller.
Hope this helps you.
----------------------------------------------------------------------------------------------------------
"If I'd asked my customers what they wanted, they'd have said a faster horse." ~ Henry Ford
-
February 10th, 2006, 10:42 AM
#6
AFAIK Gray Pigeon is an OpenSource(?) RAT (Remote Access Trojan)..
http://www.megasecurity.org/trojans/h/hgz/Hgz_all.html
http://www.sophos.com/virusinfo/anal...graybrdam.html
I highly recommend taking the server off-line.. Backup the important data and reinstall from original media..
Oliver's Law:
Experience is something you don't get until just after you need it.
-
February 10th, 2006, 10:16 PM
#7
That's what I figured.
It's not enough that they are disabled. They have to be REMOVED.
And since you seem to have been rooted... Reformat/reinstall.
It's the only safe thing to do.
-
February 11th, 2006, 08:29 AM
#8
About those failures logins, all of them are the users which are not on Domain so thats why we are getting message from them.
Well i have done the thing.... Reinstallation..... The last solution for Windows n best i think cause if you are not getting at the end of the problem, take the backup and wipe out the windows.
Anyways d0pp you said disabling the service is not enough i should remove them, well that what i wana know now. Is there a tool available to delete the services completely from the system for windows?.
One machine can do the work of fifty ordinary men. No machine can do the work of one extraordinary man!
-
February 11th, 2006, 08:58 AM
#9
Have you been making any configuration changes to this box? There are some odd entries in that log -- disabling of lots of services (SavRoam, Smart Card, RSoP, Remote Registry, Mainboard Monitor, Distributed Link Tracking Client) is the most surprising.
-
February 11th, 2006, 09:43 AM
#10
@tt!tud3
As i said that after getting that screen dump problem, i looked into the services and every service i found fishy i disabled it...... After doing that system starting too much trouble....
Anyways if you see the screenshot and come to service Mainboard Monitor and see its description its showing something relating with FTP access to clients although the service name has no connection to FTP so looks fishy too me few of the others looks suspicious or useless so i disable them.
One machine can do the work of fifty ordinary men. No machine can do the work of one extraordinary man!
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|