Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91863 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] asp server exploit


  • This topic is locked This topic is locked
2 replies to this topic

#1 dkhesser

dkhesser

    New Member

  • New Member
  • Pip
  • 1 posts

Posted 26 May 2008 - 06:15 AM

Our web server is having problems publishing asp pages. You get two errors when you request a page according to AVG. 'Exploit script injection' and 'Exploit link to known exploit site'.

None of the asp pages have changed according to modify/create date.

Server is running/has been running AVG File Server.

Kaspersky scan only shows a few viruses inside email queued on the server.

Dr Web Cureit shows :

g-eu.exe;C:\System Volume Information;Trojan.Bomgen;Deleted.;
g-inter.exe;C:\System Volume Information;Trojan.Bomgen;Deleted.;
g-or.exe;C:\System Volume Information;Trojan.Bomgen;Deleted.;
g-speed.exe;C:\System Volume Information;Trojan.Bomgen;Deleted.;
psinfo.exe;C:\System Volume Information\autospeed;Exploit.MS07-033;Deleted.;
pslist.exe;C:\System Volume Information\autospeed;Program.PsList.127;Incurable.Moved.;
INSTSRV.EXE;D:\Com;Tool.InstSrv;Incurable.Moved.;
SRVANY.EXE;D:\Com;Program.SrvAny;Incurable.Moved.;

Rebooted - problem not corrected


Hijack log is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:03:48 AM, on 5/26/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\netdde.exe
D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINNT\System32\svchost.exe
d:\imail\IMAP4D32.exe
d:\imail\IMonitor.exe
d:\imail\iwebmsg.exe
C:\WINNT\System32\llssrv.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
D:\PROGRA~1\AVG\AVG8\avgam.exe
D:\PROGRA~1\AVG\AVG8\avgrsx.exe
D:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Seagate Software\WCS\pageserver.exe
d:\imail\queuemgr.exe
C:\WINNT\system32\MSTask.exe
D:\Program Files\EasyMail SMTP Express\smtpexp.exe
d:\imail\SYSLOGD.exe
C:\Program Files\Seagate Software\WCS\WebCompServer.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\Microsoft SQL Server\MSSQL\binn\sqlagent.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
D:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
d:\imail\smtpd32.exe
d:\imail\POP3D32.exe
E:\Utils\HiJackThis\HijackThis.exe

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\AVG\AVG8\avgssie.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O12 - Plugin for .NPSSView: C:\Program Files\Seagate Software\Viewers\ActiveXViewer\\NPssView.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1195399779593
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_03) - http://aso.grsweb.co...dows-i586-i.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{395513A2-68AF-4E57-AA77-7F2A88E67B5B}: NameServer = 192.168.1.200
O17 - HKLM\System\CCS\Services\Tcpip\..\{5CBDE026-CA0D-4958-8EAC-F190EE88D6E0}: NameServer = 192.168.1.200
O17 - HKLM\System\CCS\Services\Tcpip\..\{71DE6705-F5FD-45EA-80D4-1A46FE5C5A01}: NameServer = 192.168.1.200
O17 - HKLM\System\CCS\Services\Tcpip\..\{D96B7E39-7A04-4993-A8D6-22ABBE59D716}: NameServer = 192.168.1.200
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Persits Software Email Agent (EmailAgent) - Persits Software, Inc. - D:\PROGRA~1\PERSIT~1\AspEmail\EMAILA~1\BIN\EMAILA~1.EXE
O23 - Service: IMail FINGER Server (FINGRD32) - Ipswitch, Inc. - d:\imail\FINGRD32.exe
O23 - Service: IMail IMAP4 Server (IMAP4D32) - Ipswitch, Inc. - d:\imail\IMAP4D32.exe
O23 - Service: IMail Monitor Service (IMonitor) - Ipswitch, Inc. - d:\imail\IMonitor.exe
O23 - Service: IMail Web Calendar Service (IWebCal) - Ipswitch, Inc. - d:\imail\IWebCal.exe
O23 - Service: IMail Web Service (IWEBMSG) - Ipswitch, Inc. - d:\imail\iwebmsg.exe
O23 - Service: Logical Disk Service (LdmSvc) - Unknown owner - C:\WINNT\system32\qttask.exe (file missing)
O23 - Service: mssqll SQL Server (mssqll) - Unknown owner - C:\WINNT\system32\mssqll.exe (file missing)
O23 - Service: IMail LDAP Service (OpenLDAP-slapd) - Unknown owner - d:\imail\OpenLDAP\bin\slapd.exe
O23 - Service: Seagate Page Server (pageserver) - Seagate Software, Inc. - C:\Program Files\Seagate Software\WCS\pageserver.exe
O23 - Service: IMail POP3 Server (POP3D32) - Ipswitch, Inc. - d:\imail\POP3D32.exe
O23 - Service: IMail PWD Server (PSERVE) - Ipswitch, Inc. - d:\imail\PSERVE.exe
O23 - Service: IMail Queue Manager Service (QUEUEMGR) - Ipswitch, Inc. - d:\imail\queuemgr.exe
O23 - Service: IMail SMTP Server (SMTPD32) - Ipswitch, Inc. - d:\imail\smtpd32.exe
O23 - Service: EasyMail SMTP Express (smtpexp) - Quiksoft Corporation - D:\Program Files\EasyMail SMTP Express\smtpexp.exe
O23 - Service: IMail Sys Logger Service (SYSLOGD) - Ipswitch, Inc. - d:\imail\SYSLOGD.exe
O23 - Service: IP / TCP Services (TCP-IP) - Unknown owner - C:\tcpstat.exe (file missing)
O23 - Service: Seagate Web Component Server (WebCompServer) - Seagate Software, Inc. - C:\Program Files\Seagate Software\WCS\WebCompServer.exe
O23 - Service: IMail WHOIS Server (WHOISD32) - Ipswitch, Inc. - d:\imail\WHOISD32.exe

--
End of file - 6028 bytes


Any help is greatly appreciated

    Advertisements

Register to Remove


#2 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,171 posts

Posted 04 June 2008 - 04:07 PM

Our web server is having problems publishing asp pages.

I would suggest you contact a local service in your area to be able to work hands-on with your server.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#3 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,171 posts

Posted 15 June 2008 - 09:37 AM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users