Announcement

Collapse
No announcement yet.

Need to figure out what is trying to get past my firewall...

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Need to figure out what is trying to get past my firewall...

    Hi All,

    I've got a client running a single server (SBS2003) sitting behind a SonicWall TZ 180 Enhanced. The server got infected a while ago, and we removed the infections (I thought), but found that it was pushing data up to someplace on the internet. Disabling NetBIOS resolved that issue, but when I re-enable it, it starts back up.

    Now, the server has started the same type of thing, uploading mainly to two specific addresses:

    229.111.112.12 source port 1125, destination port 3071
    122.224.115.102 source port 3375 (but changes), destination port 8000

    I've got the SonicWall blocking everything except allowed traffic, but need help resolving this once and for all...I've included a HijackThis log in the next post. Hopefully it is useful.

    Thanks in advance for your help, Tony

  • #2
    Re: Need to figure out what is trying to get past my firewall...

    Here's the HijackThis Log.

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Dfssvc.exe
    C:\WINDOWS\System32\dns.exe
    C:\Program Files\Intel\CLI\dpcproxy.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\WINDOWS\system32\IntelIPMIService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlservr.exe
    C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe
    C:\Program Files\Microsoft SQL Server\MSSQL$WSUS\Binn\sqlservr.exe
    D:\MySql\bin\mysqld-nt.exe
    C:\WINDOWS\system32\ntfrs.exe
    D:\Program Files\NOVA\viaWARP\WARP_SERVICE.exe
    C:\WINDOWS\System32\wins.exe
    C:\WINDOWS\system32\tcpsvcs.exe
    D:\Program Files\Exchsrvr\bin\exmgmt.exe
    D:\Program Files\Exchsrvr\bin\mad.exe
    C:\Program Files\RAID Web Console 2\Framework\VivaldiFramework.exe
    C:\WINDOWS\system32\cmd.exe
    C:\Program Files\RAID Web Console 2\JRE\bin\javaw.exe
    C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\RAID Web Console 2\MegaMonitor\mrmonitor.exe
    D:\Program Files\Exchsrvr\bin\store.exe
    C:\WINDOWS\system32\CAPM3RSK.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\rdpclip.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\RAID Web Console 2\MegaPopup\Popup.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBServerUtilityMgr.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    D:\Program Files\ProcessExplorer\procexp.exe
    C:\WINDOWS\system32\mmc.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://companyweb
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mayisf.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [Popup] "C:\Program Files\RAID Web Console 2\MegaPopup\Popup.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-21-53483358-1335387254-2927318537-1161\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'QBDataServiceUser17')
    O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
    O4 - Startup: RAID Web Console 2.lnk = C:\WINDOWS\system32\cmd.exe
    O4 - Startup: Server Management.lnk = ?
    O4 - Startup: Shortcut to procexp.exe.lnk = D:\Program Files\ProcessExplorer\procexp.exe
    O4 - Global Startup: QuickBooks Database Server Manager.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBServerUtilityMgr.exe
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O14 - IERESET.INF: START_PAGE_URL=http://companyweb
    O15 - ESC Trusted Zone: http://download.bitdefender.com
    O15 - ESC Trusted Zone: http://www.bitdefender.com
    O15 - ESC Trusted Zone: http://reviews.usa.canon.com
    O15 - ESC Trusted Zone: http://www.canon.com
    O15 - ESC Trusted Zone: http://www.usa.canon.com
    O15 - ESC Trusted Zone: http://mozilla.isc.org
    O15 - ESC Trusted Zone: http://download.mozilla.org
    O15 - ESC Trusted Zone: http://blstc.msn.com
    O15 - ESC Trusted Zone: http://blstj.msn.com
    O15 - ESC Trusted Zone: http://help.mysonicwall.com
    O15 - ESC Trusted Zone: http://mozmirror01.true.nl
    O15 - ESC Trusted Zone: http://wwwwz.websearch.verizon.net
    O15 - ESC Trusted Zone: http://wwz.websearch.verizon.net
    O15 - ESC Trusted Zone: http://m.webtrends.com
    O15 - ESC Trusted Zone: http://*.windowsupdate.com
    O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)
    O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
    O15 - ESC Trusted IP range: http://192.168.39.1
    O15 - ESC Trusted IP range: 192.168.1.1
    O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://192.168.1.1:4343/officescan/...l/WinNTChk.cab
    O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://192.168.1.1:4343/officescan/...tall/setup.cab
    O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://192.168.1.1:4343/officescan/...oot/AtxEnc.cab
    O16 - DPF: {4F3DCE50-E8E7-40AC-AB8D-99F87F1F89BD} (Trend Micro OfficeScan Management Console) - https://192.168.1.1:4343/officescan/...AtxConsole.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
    O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://192.168.1.1:4343/officescan/...RemoveCtrl.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1232402302894
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1232402292769
    O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://remote.esandp.com/Remote/msrdp.cab
    O16 - DPF: {A050E865-64E3-431B-8079-F0DFCEA90A2D} (PieChart Class) - https://192.168.1.1:4343/officescan/...oot/AtxPie.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CNHKiwanis.local
    O17 - HKLM\Software\..\Telephony: DomainName = CNHKiwanis.local
    O17 - HKLM\System\CCS\Services\Tcpip\..\{16A1B37A-AFFA-425B-A845-0B31B2450DA9}: NameServer = 192.168.1.1
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = CNHKiwanis.local
    O17 - HKLM\System\CS1\Services\Tcpip\..\{16A1B37A-AFFA-425B-A845-0B31B2450DA9}: NameServer = 192.168.1.1
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = CNHKiwanis.local
    O17 - HKLM\System\CS2\Services\Tcpip\..\{16A1B37A-AFFA-425B-A845-0B31B2450DA9}: NameServer = 192.168.1.1
    O23 - Service: DPCProxy - Unknown owner - C:\Program Files\Intel\CLI\dpcproxy.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Intel IPMI Service - Unknown owner - C:\WINDOWS\system32\IntelIPMIService.exe
    O23 - Service: Intel(R) RAID Monitoring Agent - Unknown owner - C:\Program Files\Intel\NGSMS\RAIDSNMPTrapReceiver\SNMPTrapRec eiver.exe
    O23 - Service: MRMonitor (MegaMonitorSrv) - Unknown owner - C:\Program Files\RAID Web Console 2\MegaMonitor\mrmonitor.exe
    O23 - Service: RWCFramework (MSMFramework) - Unknown owner - C:\Program Files\RAID Web Console 2\Framework\VivaldiFramework.exe
    O23 - Service: MySQL - Unknown owner - D:\MySql\bin\mysqld-nt (file missing)
    O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS. exe
    O23 - Service: QuickBooksDB17 - iAnywhere Solutions, Inc. - D:\PROGRA~1\QUICKB~1\QBDBMgrN.exe
    O23 - Service: WarpService - NOVA Information Systems, Inc. - D:\Program Files\NOVA\viaWARP\WARP_SERVICE.exe

    Comment


    • #3
      Re: Need to figure out what is trying to get past my firewall...

      There is one and only one way to take care of a stubborn malware infection: "format c: /FS:NTFS /V:nosoupforyou /X"

      Seriously. It's ugly, but it can get even uglier if you start ripping things out with HijackThis. Chances are, things are unalterably damaged and you'll continue to have problems until you reformat and reinstall.
      Wesley David
      LinkedIn | Careers 2.0
      -------------------------------
      Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
      Vendor Neutral Certifications: CWNA
      Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
      Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

      Comment


      • #4
        Re: Need to figure out what is trying to get past my firewall...

        Yea, was just hoping to avoid that...

        Comment


        • #5
          Re: Need to figure out what is trying to get past my firewall...

          I'm not sure that you have an infection. The 229.111.112.12 ip address is a multicast address which is not external to your network and is not routable. This particular address appears to be tied to some MegaRaid controller software which coincides with your HiJackThis results.

          As for the second ip address, do you have a proxy server or ISA server in your network?

          Can you post the results of netstat -a -n?

          Also, if you run netstat -a -b -n -o you'll see the processes and PID's associated with each connection which might give you a clue as to what's going on.

          Comment


          • #6
            Re: Need to figure out what is trying to get past my firewall...

            What is the purpose/function of a multicast address (sorry, either don't remember or haven't gotten that far yet)? Why would the RAID management software need to be accessing it? If it's not external to my network, and I don't have anything of that IP scheme on my network, where is it? Hopefully this doesn't come across as rude, I'm just trying to learn right now and this site has definitely helped a lot. I've attached the outputs of the 'netstat' commands, each command in their own .txt file.

            Thanks for your help.

            Tony
            Attached Files

            Comment


            • #7
              Re: Need to figure out what is trying to get past my firewall...

              Sorry, forgot to add that there is neither a proxy nor ISA server on the network.

              Comment


              • #8
                Re: Need to figure out what is trying to get past my firewall...

                A multicast address is a class D address that is primarily used to communicate with members of multicast groups or to broadcast a service such as a router advertisement or query. All hosts listen for traffic sent to certain multicast addresses. The MegaRaid software may be sending these packets to communicate with a management console, management software, or to broadcast it's existence to other servers. It seems pretty normal to me as you'll normally see some multicast traffic in most modern networks.

                The two netstat files look fairly OK to me. I'm guessing that this server is:

                1. Domain controller
                2. DNS server
                3. RRAS server using PPTP
                4. Terminal Server

                Is that correct?

                Comment


                • #9
                  Re: Need to figure out what is trying to get past my firewall...

                  Yup, you nailed it...so the multicast address may be ok. I'll temporarily unblock it and see what happens. I'm still not sure of that other address though.

                  Thanks for your help.

                  Tony

                  Comment


                  • #10
                    Re: Need to figure out what is trying to get past my firewall...

                    Keep us posted.

                    Comment


                    • #11
                      Re: Need to figure out what is trying to get past my firewall...

                      Well I was doing the packet capture in the SonicWall, and according to it, the traffic to either address is 'Interface' traffic...I have no clue what they mean by that.

                      The '(i)' signifies 'interface' according to what I've seen, and if it was multicast it should be '(m)'

                      06/23/2009 08:52:23.640 LAN*(i) -- '{SourceIP}' 192.168.1.1 '{DestIP}' 229.111.112.12 '{protocol}'IPUDP '{SRC Port, Dest Port}' 1125,3071 '{action}' DROPPED60[60]

                      The traffic to the other address is pretty much the same, except source port is now up to 14445 and destination is still 8000

                      Just looking for thoughts.

                      Comment


                      • #12
                        Re: Need to figure out what is trying to get past my firewall...

                        I enabled multicast on the SonicWall with access only to the address 229.111.112.12 and for right now it seems ok, when i put the address in, it forced me to select multicast for the zone...more comfort on my part. Now my only issue is the second address.

                        Tony

                        Comment


                        • #13
                          Re: Need to figure out what is trying to get past my firewall...

                          AFAIK, you don't need to allow access to the multicast address in your firewall as the multicast address is for internal communication and not intended for external hosts. As such the traffic will "stay" on your LAN. The firewall will see the traffic because all hosts have to listen to multicast traffic to determine if it pertains to them or not. If it doesn't pertain to them they drop the multicast traffic. Your firewall should simply drop or ignore the multicast traffic.

                          Have you run a recent netstat to see if the other ip address is in the output?

                          Comment


                          • #14
                            Re: Need to figure out what is trying to get past my firewall...

                            The weird thing is that the IP doesn't show in netstat, and when I try to search for the port that it was using, it's already been changed (changes every few seconds at most)...

                            Tony

                            Comment


                            • #15
                              Re: Need to figure out what is trying to get past my firewall...

                              If the ip address doesn't show in netstat then there's no connection to or from that ip address. I would keep an eye out by periodically running netstat and checking your firewall logs to see if you see anything funny.

                              Comment

                              Working...
                              X