process "system:8" open 400 to 500 lintening tcp port

[ranpaco]

Are inbound TS connection.
I've a list of all processes rumming in the server, one when the server just start and other when some client conect to TS and the problem begins, I check and the only differences are the processes of TS.
In awhile I sent processes list for you review.
Thanks a lot.

[SirDice]

If I read your list correctly there are no active TS connections..

IIRC active TS connections show up as:

a.b.c.d:3389 x.x.x.x:yyyyy ESTABLISHED

Where a.b.c.d is your ip address, x.x.x.x is the connecting client and yyyyy is a random portnumber..

It looks like you've got a couple of outbound CIFS (netbios) connections..

Even if it's a terminal server that still wouldn't explain the huge amount of ports listed as LISTENING. Maybe some user installed a P2P application?

[ranpaco]

my list are no complete there are just an extract.
let me try to explain
1.- I Start the server, everything works well, I've left it up about five days, without problem.
2.- In a client start TS connection to the server.
3.- In about 10 min, the server start to open LISTENING ports and outbound connection to netbios port.
4.- I close the TS connection, but the problem continue.
5.- A temporal solution is restart the server

I'm sure that there no one installed P2P application

[SirDice]

alright, clear on that

Does this also happen when no TS users log in?
Does it happen with one user account in perticular? With other user accounts?

[ranpaco]

Does this also happen when no TS users log in?
nope
Does it happen with one user account in perticular? With other user accounts?
wth all accounts, is the same

that is processes list when the server is fine and just restarted:

ImageName PID Threads Priority CPU Owner
Idle 0 2 0 49 Error 0x6 : Controlador no vßlido.
System 8 42 8 0 Error 0x5 : Acceso denegado.
SMSS.EXE 156 6 11 0 NT AUTHORITY\SYSTEM
CSRSS.EXE 216 13 13 0 NT AUTHORITY\SYSTEM
WINLOGON.EXE 212 20 13 0 NT AUTHORITY\SYSTEM
SERVICES.EXE 268 32 9 0 NT AUTHORITY\SYSTEM
LSASS.EXE 280 40 9 0 NT AUTHORITY\SYSTEM
termsrv.exe 392 13 10 0 NT AUTHORITY\SYSTEM
svchost.exe 500 10 8 0 NT AUTHORITY\SYSTEM
spoolsv.exe 528 10 8 0 NT AUTHORITY\SYSTEM
msdtc.exe 720 26 8 0 NT AUTHORITY\SYSTEM
Apache.exe 840 3 8 0 NT AUTHORITY\SYSTEM
DefWatch.exe 872 3 8 0 NT AUTHORITY\SYSTEM
tcpsvcs.exe 888 17 8 0 NT AUTHORITY\SYSTEM
svchost.exe 920 30 8 0 NT AUTHORITY\SYSTEM
pds.exe 956 5 8 0 NT AUTHORITY\SYSTEM
LLSSRV.EXE 1000 9 9 0 NT AUTHORITY\SYSTEM
NSCM.exe 1076 20 8 0 PDVSA2000\NetShowServices
ntfrs.exe 1160 19 8 0 NT AUTHORITY\SYSTEM
omtsreco.exe 1204 4 8 0 NT AUTHORITY\SYSTEM
agntsrvc.exe 1332 3 8 0 NT AUTHORITY\SYSTEM
Apache.exe 1344 51 8 0 NT AUTHORITY\SYSTEM
Apache.exe 1556 4 8 0 NT AUTHORITY\SYSTEM
CMD.EXE 1564 1 8 0 NT AUTHORITY\SYSTEM
dbsnmp.exe 1572 17 8 0 NT AUTHORITY\SYSTEM
TNSLSNR.EXE 1608 4 8 0 NT AUTHORITY\SYSTEM
oracle.exe 1684 14 8 0 NT AUTHORITY\SYSTEM
regsvc.exe 1280 2 8 0 NT AUTHORITY\SYSTEM
RsFsa.exe 1716 11 8 0 NT AUTHORITY\SYSTEM
RsSub.exe 1756 4 8 0 NT AUTHORITY\SYSTEM
mstask.exe 1768 7 8 0 NT AUTHORITY\SYSTEM
Apache.exe 1836 56 8 0 NT AUTHORITY\SYSTEM
java.exe 2116 13 8 0 NT AUTHORITY\SYSTEM
java.exe 2124 11 8 0 NT AUTHORITY\SYSTEM
Rtvscan.exe 2132 38 8 0 NT AUTHORITY\SYSTEM
isqlplus 1276 25 8 0 NT AUTHORITY\SYSTEM
WinMgmt.exe 2384 6 8 0 NT AUTHORITY\SYSTEM
WINS.EXE 2444 18 8 0 NT AUTHORITY\SYSTEM
svchost.exe 2456 8 8 0 NT AUTHORITY\SYSTEM
DNS.EXE 2496 16 8 0 NT AUTHORITY\SYSTEM
inetinfo.exe 2528 36 8 0 NT AUTHORITY\SYSTEM
nspm.exe 2592 15 8 0 PDVSA2000\NetShowServices
nsum.exe 2676 29 8 0 PDVSA2000\NetShowServices
RsEng.exe 3108 10 8 0 NT AUTHORITY\SYSTEM
svchost.exe 3196 8 8 0 NT AUTHORITY\SYSTEM
svchost.exe 3312 12 8 0 NT AUTHORITY\SYSTEM
explorer.exe 3644 15 8 0 PDVSA2000\ranpaco
sistray.exe 3656 1 8 0 PDVSA2000\ranpaco
Keyhook.exe 3904 2 8 0 PDVSA2000\ranpaco
gcasServ.exe 4104 5 4 0 PDVSA2000\ranpaco
DUMeter.exe 4084 3 8 0 PDVSA2000\ranpaco
VPTray.exe 3972 3 8 0 PDVSA2000\ranpaco
internat.exe 4044 1 8 0 PDVSA2000\ranpaco
gcasDtServ.exe 3984 7 8 0 PDVSA2000\ranpaco
WZQKPICK.EXE 3908 1 8 0 PDVSA2000\ranpaco
CMD.EXE 4112 1 8 0 PDVSA2000\ranpaco
GIANTAntiSpywar 540 6 8 50 PDVSA2000\ranpaco
Process.exe 3692 1 13 0 PDVSA2000\ranpaco

and that when start some inbound connection of TS and virus is actived

ImageName PID Threads Priority CPU Owner
Idle 0 2 0 41 Error 0x6 : Controlador no vßlido.
System 8 42 8 0 Error 0x5 : Acceso denegado.
SMSS.EXE 156 6 11 0 NT AUTHORITY\SYSTEM
CSRSS.EXE 216 12 13 0 NT AUTHORITY\SYSTEM
WINLOGON.EXE 212 17 13 0 NT AUTHORITY\SYSTEM
SERVICES.EXE 268 32 9 0 NT AUTHORITY\SYSTEM
LSASS.EXE 280 41 9 0 NT AUTHORITY\SYSTEM
termsrv.exe 392 15 10 0 NT AUTHORITY\SYSTEM
svchost.exe 504 11 8 0 NT AUTHORITY\SYSTEM
spoolsv.exe 544 11 8 0 NT AUTHORITY\SYSTEM
msdtc.exe 712 26 8 0 NT AUTHORITY\SYSTEM
Apache.exe 836 3 8 0 NT AUTHORITY\SYSTEM
DefWatch.exe 868 3 8 0 NT AUTHORITY\SYSTEM
tcpsvcs.exe 884 17 8 0 NT AUTHORITY\SYSTEM
svchost.exe 908 30 8 0 NT AUTHORITY\SYSTEM
pds.exe 936 5 8 0 NT AUTHORITY\SYSTEM
LLSSRV.EXE 992 9 9 0 NT AUTHORITY\SYSTEM
NSCM.exe 1076 20 8 0 PDVSA2000\NetShowServices
ntfrs.exe 1168 19 8 0 NT AUTHORITY\SYSTEM
agntsrvc.exe 1328 3 8 0 NT AUTHORITY\SYSTEM
Apache.exe 1336 58 8 0 NT AUTHORITY\SYSTEM
CMD.EXE 1556 1 8 0 NT AUTHORITY\SYSTEM
dbsnmp.exe 1564 17 8 0 NT AUTHORITY\SYSTEM
TNSLSNR.EXE 1596 4 8 0 NT AUTHORITY\SYSTEM
oracle.exe 1672 14 8 0 NT AUTHORITY\SYSTEM
regsvc.exe 1700 2 8 0 NT AUTHORITY\SYSTEM
RsFsa.exe 1716 11 8 0 NT AUTHORITY\SYSTEM
RsSub.exe 1752 4 8 0 NT AUTHORITY\SYSTEM
mstask.exe 1824 6 8 0 NT AUTHORITY\SYSTEM
Rtvscan.exe 1904 38 8 0 NT AUTHORITY\SYSTEM
WinMgmt.exe 696 5 8 0 NT AUTHORITY\SYSTEM
WINS.EXE 2004 18 8 0 NT AUTHORITY\SYSTEM
svchost.exe 2012 7 8 0 NT AUTHORITY\SYSTEM
DNS.EXE 2036 16 8 0 NT AUTHORITY\SYSTEM
inetinfo.exe 2064 36 8 0 NT AUTHORITY\SYSTEM
nspm.exe 2140 15 8 0 PDVSA2000\NetShowServices
nsum.exe 2188 29 8 0 PDVSA2000\NetShowServices
RsEng.exe 2628 10 8 0 NT AUTHORITY\SYSTEM
svchost.exe 2740 12 8 0 NT AUTHORITY\SYSTEM
logon.scr 1796 1 4 0 NT AUTHORITY\SYSTEM
CSRSS.EXE 3164 11 13 0 NT AUTHORITY\SYSTEM
WINLOGON.EXE 3168 11 13 0 NT AUTHORITY\SYSTEM
rdpclip.exe 3356 2 8 0 PDVSA2000\ranpaco
explorer.exe 3400 14 8 0 PDVSA2000\ranpaco
sistray.exe 3184 1 8 0 PDVSA2000\ranpaco
gcasServ.exe 3460 5 4 0 PDVSA2000\ranpaco
DUMeter.exe 3504 3 8 0 PDVSA2000\ranpaco
internat.exe 3520 1 8 0 PDVSA2000\ranpaco
gcasDtServ.exe 3508 4 8 0 PDVSA2000\ranpaco
WZQKPICK.EXE 3564 1 8 0 PDVSA2000\ranpaco
CMD.EXE 3612 1 8 0 PDVSA2000\ranpaco
Process.exe 3576 1 13 0 PDVSA2000\ranpaco

thanks a lot

[SirDice]

Hmm.. sistray kinda looks funny... Everything else looks legit at first glance..

You're running apache, oracle and you're serving TS clients on the same machine?
Hmmm.. I do suggest splitting all these different services across multiple machines..

[ranpaco]

jejeje it is a developer server, this is in my office for application testing, the only TS Client is me from my home.
There is no possibility of virus/worm infecte a system file, let say CSRSS.EXE???

[SirDice]

All the recent malware just installs an extra program to mess up your system.. Haven't seen file-infectors for a while..

Have a look at that sistray.exe. That's definitely not a "regular" windows program. It looks a lot like systray.exe which IS a regular windows program. Because the names look similar I'll bet it's the one we're looking for

Take a peek at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.. and see what gets started there. Do the same for HKEY_USERS\user's SID\Software\Microsoft\Windows\CurrentVersion\Run..

Or download and run Hijackthis and post it's log..

[zENGER]

Sistray could be a tray program for a SiS chipset. If you don't have one, then this should be suspicious.

Process.exe is what I would look into. That looks very suspicious. Also, what is running in the cmd.exes that show as running?

[SirDice]

Good point Zenger.... I also noticed mstask.exe and an regsvc.exe running as SYSTEM.. Looks suspicious too..

ranpaco: You seem to have a whole lot of processes running.. Some of these are probably legit but there are definitely a few suspicious ones..

To make it a little easier for yourself (and us too ) shutdown apache and oracle.. Log in locally (not through TS).. Close as many programs as possible.. At least the ones you know.. Even better would be to boot into safe mode... Then run Hijackthis... post it's log here..

The reason you need to stop the processes you know is because it'll make the list shorter and therefor easier to search..

A Hijackthis log will give us a lot of info about processes running... What's started where and what kind of hooks are used..