Hijack Server

Advertise at AfterDawn.com

Link to us!

Private messages

Compose a private message

List of all updated threads

Threads without replies

Search messages

Tuesday 4.3.2025 / 06:16

Search AfterDawn Forums:

afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > hijack server

Browse by topic

Forums

Start a new thread

Hijack Server

Jump to:

Posted

Message

ashukh198

Suspended due to non-functional email address

18. May 2009 @ 03:33

Link to this message

Hello,

Today, when i have checked my server, i have seen in My Server (Windows-Server 2003 Stnd. with SP-2)that one unknows User is showing on my Login Screen. Its name was "zj2631$" and it got Administrator Privilages. it has accessed these folders and files named are:-

saomiao -->
1. 扫描 -->
jimo.bat -->
#########################################
@echo off
color B
title ¼ÅÄ¯×¨ÓÃ°æ
echo 125.109.1.1 125.109.255.255 >ip.txt
ip.txt
pause
copy %windir%\system32\cmd.exe cmd.exe >nul
FOR /F "eol=A tokens=1,2" %%a in (ip.txt)
do s.exe syn %%a %%b 80 /save
for /f %%a in ('findstr /i "Open"
result.txt') do echo %%a>>host.txt
del Result.txt >nul
##########################################
2. saomiao -->
a) cmd.exe
b) IP.txt
c) jimo.bat
d) Result.txt

where these files contains the following things:-

a) cmd.exe --- it's Command promt.
b) IP.txt ---- it's showing the following list:-
125.109.1.1 125.109.255.255
c) jimo.bat ---- its showing the following things:-
@echo off
color B
title Special edition of Lonely
echo 125.109.1.1 125.109.255.255 >ip.txt
ip.txt
pause
copy %windir%\system32\cmd.exe cmd.exe >nul
FOR /F "eol=A tokens=1,2" %%a in (ip.txt) do s.exe syn %%a %%b 445 /save
for /f %%a in ('findstr /i "Open" result.txt') do echo %%a>>host.txt
del Result.txt >nul

d) Result.txt It's showing the following things:-
----------------------------------------------------------------------------------
Performing Time: 5/18/2009 4:29:40 --> SYN Scan: About To Scan 65279 IP Using 1 Thread
125.109.3.37 135 Open
125.109.2.229 135 Open
125.109.3.10 135 Open
125.109.3.201 135 Open
125.109.3.229 135 Open
125.109.4.41 135 Open
125.109.4.155 135 Open
125.109.6.84 135 Open
125.109.6.183 135 Open
125.109.6.241 135 Open
125.109.6.168 135 Open
125.109.7.87 135 Open
125.109.8.48 135 Open
125.109.8.120 135 Open
125.109.8.207 135 Open
125.109.7.118 135 Open
125.109.9.34 135 Open
125.109.9.115 135 Open
125.109.9.52 135 Open
125.109.10.108 135 Open
125.109.10.89 135 Open
125.109.11.111 135 Open
125.109.11.27 135 Open
125.109.5.124 135 Open
125.109.12.84 135 Open
125.109.13.3 135 Open
125.109.12.73 135 Open
125.109.6.107 135 Open
125.109.10.237 135 Open
125.109.13.71 135 Open
LastIP Scanned: 125.109.15.133:135
125.109.13.176 135 Open
125.109.13.224 135 Open
125.109.13.228 135 Open
125.109.13.127 135 Open
125.109.15.0 135 Open
125.109.14.240 135 Open
125.109.13.214 135 Open
125.109.14.198 135 Open
125.109.15.85 135 Open
125.109.6.183 135 Open
125.109.15.93 135 Open
125.109.8.123 135 Open
Scan 3716 IPs Complete In 0 Hours 0 Minutes 5 Seconds. Found 42 Hosts
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Performing Time: 5/18/2009 4:30:3 --> SYN Scan: About To Scan 65279 IP Using 1 Thread
125.109.2.28 445 Open
125.109.4.155 445 Open
125.109.5.124 445 Open
LastIP Scanned: 125.109.18.173:445
Scan 4524 IPs Complete In 0 Hours 0 Minutes 2 Seconds. Found 3 Hosts
-------------------------------------------------------------------------------

I have run the Hijekthis v-2.0.2 and it shows this result:-

####################################################################
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:57:51 PM, on 5/18/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\programs\webserver\apache_2.0\Apache2\bin\Apache.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft ISA Server\isastg.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MSFW\Binn\sqlservr.exe
D:\programs\webserver\apache_2.0\Apache2\bin\Apache.exe
D:\programs\php\xampp_1.6.3a\mysql\bin\mysqld-nt.exe
C:\programs\dbserver\mysql\MySQL Server 5.0\bin\mysqld-nt.exe
C:\program files\internet explorer\IEXPLORE.EXE
C:\WINDOWS\system32\SVCHOST.EXE
c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft ISA Server\mspadmin.exe
C:\WINDOWS\system32\calc.exe
C:\Program Files\Microsoft ISA Server\W3Prefch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
D:\programs\ruby\InstantRails\InstantRails.exe
D:\programs\webserver\apache_2.0\Apache2\bin\ApacheMonitor.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
D:\programs\php\xampp_1.6.3a\mysql\bin\winmysqladmin.exe
D:\programs\TortoiseSVN\bin\TSVNCache.exe
D:\programs\php\xampp_1.6.3a\xampp-control.exe
D:\programs\php\xampp_1.6.3a\apache\bin\apache.exe
D:\programs\php\xampp_1.6.3a\apache\bin\apache.exe
D:\programs\Openfire_exodus\bin\openfire.exe
D:\programs\Openfire_exodus\bin\openfired.exe
C:\WINDOWS\System32\logon.scr
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
D:\programs\ruby\InstantRails\InstantRails.exe
D:\programs\webserver\apache_2.0\Apache2\bin\ApacheMonitor.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\programs\java\jdk1.5\bin\java.exe
D:\programs\ruby\INSTAN~1\MySql\bin\mysqld.exe
D:\programs\php\xampp_1.6.3a\mysql\bin\winmysqladmin.exe
C:\programs\java\jdk1.5\bin\java.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = res://shdoclc.dll/softAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://192.168.0.10/mantis
O4 - HKLM\..\Run: [Instant Rails] "D:\programs\ruby\InstantRails\InstantRails.exe"
O4 - HKLM\..\Run: [DWPersistentQueuedReporting] C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: ACRstartup.bat.lnk = D:\programs\webserver\ACRtomcat\bin\startup.bat
O4 - Startup: is-7L4AI.lnk = C:\Documents and Settings\Administrator\Desktop\Virus Removal Tool\is-7L4AI\startup.exe
O4 - Startup: Shortcut to openfire.exe.lnk = D:\programs\Openfire\bin\openfire.exe
O4 - Startup: Shortcut to startup.bat.lnk = D:\programs\webserver\jakarta-tomcat-5.5.9\bin\startup.bat
O4 - Startup: WinMySQLadmin.lnk = D:\programs\php\xampp_1.6.3a\mysql\bin\winmysqladmin.exe
O4 - Global Startup: Monitor Apache Servers.lnk = D:\programs\webserver\apache_2.0\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O15 - ESC Trusted IP range: http://203.187.242.74
O15 - ESC Trusted IP range: http://61.12.3.82
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5C92C0C-8B57-4AD3-9E33-70F896F62954}: NameServer = 203.196.128.4,203.196.128.5
O23 - Service: Apache2 - Apache Software Foundation - D:\programs\webserver\apache_2.0\Apache2\bin\Apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: mysql - Unknown owner - D:\programs\php\xampp_1.6.3a\mysql\bin\mysqld-nt.exe
O23 - Service: MySQLCMS - Unknown owner - C:\programs\dbserver\mysql\MySQL.exe (file missing)
O23 - Service: Network Service (Ntwthes) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oraclexe\app\oracle\product\10.2.0\server\BIN\omtsreco.exe
O23 - Service: OracleServiceXE - Oracle Corporation - c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
O23 - Service: OracleXEClrAgent - Unknown owner - C:\oraclexe\app\oracle\product\10.2.0\server\bin\OraClrAgnt.exe
O23 - Service: OracleXETNSListener - Unknown owner - C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - D:\programs\webserver\Tomcat 5.0\bin\tomcat.exe (file missing)
O23 - Service: XAMPP Service (XAMPP) - Unknown owner - D:\programs\php\xampp_1.6.3a\service.exe

--
End of file - 5823 bytes

####################################################################

Can someone do some favour to remove or check this, what happen with that system. On Server MacAfee Anti-Virus is running and when i have checked this from my Laptop where AVG is installed, it shows one Alert Message while accessing that server for a virus: Trojan Horse Genric5.hnp

[ + quote]

--

Regards
Ashu Khan

varnull

Suspended permanently

18. May 2009 @ 05:12

Link to this message

serves you right honestly.. you should use a secure system for a server.
That's trashed.. only solution is a ground up reinstall.. far too compromised as the exploit has allowed the person in and they have replaced core parts of your operating system.. and haven't cared that you can see the changes..... that means there are more subtle changes.. like user accounts with wheel/admin rights also.. game over.. reinstall. I suggest something designed for servers like slackware.

And take it offline immediately.. you are running hidden ftp servers and you don't want to go to prison for distribution of illegal content do you?

can I make a quick comment.. I hope you aren't running this server for a business.. or commercially.. If you can't read from the scans that it's beyond saving you really shouldn't be in charge of a remotely administered server. You can use this as an opportunity to learn about server rootkits and remote exploits... and why 95% of the internet and servers don't run windows server rubbish.

[ + quote]

This message has been edited since posting. Last time this message was edited on 18. May 2009 @ 05:18

ashukh198

Suspended due to non-functional email address

18. May 2009 @ 06:00

Link to this message

Hi varnull,

I am really thankful for your valuable Comments. I appreciate what have you said, but that is live Server which i can not re-install. Almost 100 Users are using that Server, many Sites has been hosted from that Server. So, Re-installation and its again Configuration takes around 6-7 days time and we can not wait our resources to use Server. So, we need help to repair that Server and make it safe by that kind of Attacks in future.

Kindly give some info about Remote exploits, Wheel/admin Rights and how can we protect our server by these kind of attacks.

i have blocked the IP range 125.109.1.1 125.109.255.255 which are opened by this attack, by ISA Server for all protocol. what should i do to resolve its infection and remove it from my server.

Your Valuable Suggestions are always Welcome..

Thanks & Regards

[ + quote]

--

Regards
Ashu Khan

Start a new thread

afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > hijack server


		User name	Password

		Not registered yet? Register here. Lost your password? Click here.