Kaseya Community

Help - New Virus/Malware Possibly

  • OK - here's the story ... on 8 of 10 Windows 2003 servers I noticed just running a port scan (netstat -a) a few open ports that were concerning ... there was some units with 2 or 3 ports connected, and others with 9 or 10 connected to vip762.3322.org .........

    Yes same host and place that was involved in the ActiveX killbits vulnerability, however these boxes are patched against that and have been for awhile .... The ports change when the box reboots, but the ports are not consistent from box to box ... the setup of each box is different, except for Windows 2003 and Kaseya Agents on them, nothing else is the same ...

    KES detects nothing wrong on the boxes, nor does MSRT, Avert Stinger, BlackLight from FSecure, or any other of 5 or 6 different AV Scanners and Rootkit detectors we've run on these boxes.

    The ports appear to just connect and then sit there and listen, and the do nothing else currently ....

    Was hoping someone else has seen this and has an idea of what's going on - I'd hate to rebuild 8 servers all at once ....

    Legacy Forum Name: Help - New Virus/Malware Possibly,
    Legacy Posted By Username: TBK Consulting
  • Looks like it could be related to SQL injection attacks. Is that fully up to date?

    Legacy Forum Name: KES,
    Legacy Posted By Username: Coldfirex
  • Yes I looked at the possibility of SQL Injection attacks - here's the problem tho - not all of the boxes exhibiting this problem have SQL installed on them, they are all Windows 2003, some have SBS some don't ... some have SQL, some don't (that includes the MSDE as well) ... I won't put out that it is not a SQL Injection attack, but I think it's unlikely if the same symptoms are on a box without SQL/MSDE on it ...

    But on the SQL Injection attack - I have found very little information on how to find out if it actually is one, and how to get rid of it if it is ... anyone got some good links for this?

    Legacy Forum Name: KES,
    Legacy Posted By Username: TBK Consulting
  • OpenDNS categorizes it as P2P\File Sharing.
    Whats the router/firewall situation like on most of these servers?
    It looks like Avira might be able to find the infection if you can give that a shot.

    Legacy Forum Name: KES,
    Legacy Posted By Username: Coldfirex
  • We use OpenDNS as well and have used it to block that entire domain - doesn't seem to stop the servers from opening the port connections however ... I'll give Avira a shot in the AM and let you know ...

    Legacy Forum Name: KES,
    Legacy Posted By Username: TBK Consulting
  • Avira Free version does not install on servers, but based upon all the other AVs I have tried I doubt Antivir would be any different and would most likely find nothing.

    Legacy Forum Name: KES,
    Legacy Posted By Username: TBK Consulting
  • Try this

    netstat -aon


    This should produce

    Proto  Local Address          Foreign Address        State           PID


    Then match the PID to the PID in taskman or tasklist (your choice)

    I know its a couple of extra steps and a bit of humbug, but at least you'll know whats firing it.

    Legacy Forum Name: KES,
    Legacy Posted By Username: thirteentwenty
  • interesting results ... on one unit I tried this and the results were not what I expected to see at all .... the ports that netstat -a are showing as close_wait to the far ends LDAP port do not show under netstat -aon at all ... the ports that are showing time_wait, and established are 14757, and 17390 on this unit with reciprocal connections from LDAP on this unit to the same ports on the remote site are showing that DNS.exe is the process running on 14757, and w3wp.exe is running on the 17390 port ....

    I am trying to blackhole this unit with OpenDNS to not allow connections to this host specifically, as well as anything in that domain at all .... so why is DNS on that port and why is showing just as a loopback? is the blackholing actually working? or is this just me being paranoid and seeing something that isn't really there?

    the lines from netstat -aon are as follows --

    TCP 127.0.0.1:14757 127.0.0.1:389 ESTABLISHED 1592=DNS.exe (by tasklist)
    TCP 127.0.0.1:17390 127.0.0.1:10080 CLOSE_WAIT 3840=W3WP.exe (by tasklist)

    and the lines from netstat -a are as follows --

    TCP server:ldap vip762.3322.org:14757 ESTABLISHED
    TCP server:ldap vip762.3322.org:17473 TIME_WAIT
    TCP server:1055 vip762.3322.org:ldap CLOSE_WAIT
    TCP server:1072 vip762.3322.org:ldap CLOSE_WAIT
    TCP server:1116 vip762.3322.org:ldap CLOSE_WAIT
    TCP server:1130 vip762.3322.org:ldap CLOSE_WAIT
    TCP server:1216 vip762.3322.org:ldap CLOSE_WAIT

    and 2 more lines a bit farther down are --

    TCP server:14757 vip762.3322.org:ldap ESTABLISHED
    TCP server:17390 vip762.3322.org:10080 CLOSE_WAIT

    SO now I am even more confused than before ...

    Legacy Forum Name: KES,
    Legacy Posted By Username: TBK Consulting
  • can't you block all outbound traffic with your firewall?

    make a dns entry to point it to nowhere?

    btw looks nasty.

    interesting that its using the loopback

    just read the interchange on experts-exchange. ominous. good luck and please keep us posted.

    another thought. check to see that the kill bits is still set in the registry just to see if that door was opened up. but that would beg the question of who was using IE on the affected servers. The fact that your 2008 servers are not showing the issue leads me to believe that this may be the case as they were not effected in the first place (from what i have read).

    Legacy Forum Name: KES,
    Legacy Posted By Username: razmataz
  • It is normal for the DNS server to randomize the source port, this is part of the new Socket Pool feature intended to make DNS more resilient to latest threats:

    http://blogs.technet.com/sseshad/archive/2008/12/03/windows-dns-and-the-kaminsky-bug.aspx

    It appears that vip762.3322.org is resolving to the loopback, meaning you likely already have it blacklisted via hosts file or DNS.

    However, this machine is still attempting connections to vip762.3322.org which indicates malware presence.

    Legacy Forum Name: KES,
    Legacy Posted By Username: ed@securemycompany.com