Announcement

Collapse
No announcement yet.

anyone want to take a stab at my highjackthis log?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • anyone want to take a stab at my highjackthis log?

    Long story short...I have some very odd activity on our SBS 2008 server with port 80 requests going overseas at a rate of 3-4 per second from this server. I believe our lowtech smoothwall firewall was hacked as there were port forwards on there last week I didn't create...but I digress...

    As I try to determine the root cause of these outgoing requests I decided to go the good but oldschool way of looking at a highjackthis log too! if you know what it is and you have a good idea of what should be running on a standard (default) SBS 2008 install...please do look.

    There was a time when I could look at any log from Win98 or XP and tell you what belonged and didn't..but I have little clue on SBS2008. Many of the listings say file not found too...not sure what that is about!

    Any useful comments are appreciated.

    File can be found here: http://carboncow.net/hijackthis.log

  • #2
    Re: anyone want to take a stab at my highjackthis log?

    023 Service keyIso COULD be suspicious.

    023 service uvnc_Service - if you KNOW you don't have kaseya, or other vnc tool installed, is suspicious.

    There's nothing else I can see there of concern really.
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

    Comment


    • #3
      Re: anyone want to take a stab at my highjackthis log?

      This doesn't look quite right to me

      O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)

      but then again maybe not

      http://searchtasks.answersthatwork.c...File=UI0Detect

      This

      O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

      Comment


      • #4
        Re: anyone want to take a stab at my highjackthis log?

        Guy thanks for your time,

        I have run two anti virus and two spyware solutions including malwarebyte...all came back negative.

        I ran the services and DLL you commented on against virustotal.com upload scanner and they also came back as "goodware" with no hits or false positives. I've done research on most services I didn't know with little luck.

        It appears clean and I'm wondering how "fancy" this issue could be or I'm barking up the wrong tree...until...

        Today I opened up IE 8 that is on the SBS2008 server to use the virustotal.com interface for uploading. This triggered a "block" by malwarebyte of website block to an IP that is in the range of the ones I see trying to go out the door. I'll include a screenshot of my firewall which I have blocking the outgoing requests that are about 3-5 every second.

        I have every update that WSUS tells me this server needs and I'm going to research installing IE9 to see if it overwrites anything...any suggestions there?

        I'm by no means and expert here but have been beating around the bush on Win98, 2000 and XP systems long enough to spot and remove a few nasty bugs. Hell, we even has the horrible sasser worm here several years ago due to the fact my client PC were behind on updates. I had the IQ to identify it even if it took a friend who is a high level exchange nerd to setup the MS recommend procedure for removal on domains with tweaking a lot of GPO stuff I'm horrible at.

        I'm currently using a nifty free firewall called Untangle and am blocking any outgoing IP requests on 80 (vs domain name) and found the concern I suspected. As stated I can block these requests and see they are only on my SBS2008 server...I think I'm safe but want to get to the root of this.

        I have a few posts to read for suggestions on the Untangle forum on how check via the cmd prompt, so I'll post back if I find go info.
        Attached Files

        Comment


        • #5
          Re: anyone want to take a stab at my highjackthis log?

          Is there anything in your HOSTS file at all???

          Comment


          • #6
            Re: anyone want to take a stab at my highjackthis log?

            Originally posted by wullieb1 View Post
            Is there anything in your HOSTS file at all???
            It's funny you ask that...

            It was one of the first things I looked at and expected to see a mess of IP that correspond to the ones attempting to get out...but no. I decided to look again and I do have a question about the "::1" as I've never seen that on other systems in the past but don't really know about SBS2008. I quick google of "::1" gave me nothing, your thoughts?

            EDIT: doesn't look like I googled enough...it is a default host file. Is it v6?
            Attached Files

            Comment


            • #7
              Re: anyone want to take a stab at my highjackthis log?

              ::1 is the loopback adapter for IPv6

              http://en.wikipedia.org/wiki/Loopback

              Comment


              • #8
                Re: anyone want to take a stab at my highjackthis log?

                Originally posted by carboncow View Post
                Guy thanks for your time,

                This triggered a "block" by malwarebyte of website block to an IP that is in the range of the ones I see trying to go out the door. I'll include a screenshot of my firewall which I have blocking the outgoing requests that are about 3-5 every second.
                I check a few of those IPs in the "blocked" log and they all point to a site called mailshell.net. Anyone in your site using that for web mail or similar?
                TIA

                Steven Teiger [SBS-MVP(2003-2009)]
                http://www.wintra.co.il/
                sigpic
                Iím honoured to have been selected for the SMB 150 list for 2013. This is the third time in succession (no logo available for 2011) that I have been honoured with this award.

                We donít stop playing because we grow old, we grow old because we stop playing.

                Comment


                • #9
                  Re: anyone want to take a stab at my highjackthis log?

                  Originally posted by teiger View Post
                  I check a few of those IPs in the "blocked" log and they all point to a site called mailshell.net. Anyone in your site using that for web mail or similar?
                  thanks for looking that up, can I ask how you found this out? I did a reverse IP lookup but just got the ISP info...was this a MX lookup? The geo-data told me that the IPs were London and Germany.

                  Here is some additional information.

                  I couldn't make heads or tales of the NETSTAT info to use the PID to figure out what service/program was creating the requests so I found this great little program that identified the culprit as AVGADSV.exe...which the AVG anti-virus admin interface for pulling updates for the server and clients. So it sounded like we may have figured this out but...

                  1. AVG has not returned my support inquiries to answer why these requests are going out to these IPs
                  2. In AVG config file there are two up date DNS entrys to update.avg.com and backup.avg.cz but no info about the IPs in question. so...
                  3. I'm wondering if AVG has something else that communicates through this inferface on 80 (but they have not answered) or something else is compromised and spoofing or using the AVGADSV.exe as the conduit.

                  So until I hear back from AVG (bad support!) I'm in limbo here.

                  As mentioned in this or another post we've done full malware and virus scans with several different products that all came back negative. So hopefully the AVG traffic is legit.

                  Comment


                  • #10
                    Re: anyone want to take a stab at my highjackthis log?

                    FYI you can use this site to parse HJT logs: http://www.hijackthis.de . Never used it for a server though.

                    As for AVG support, I use a 3rd party company for the support and it's always been great.
                    ** Remember to give credit where credit is due and leave reputation points where appropriate **

                    Comment


                    • #11
                      Re: anyone want to take a stab at my highjackthis log?

                      Originally posted by Wired View Post
                      FYI you can use this site to parse HJT logs: http://www.hijackthis.de . Never used it for a server though.

                      As for AVG support, I use a 3rd party company for the support and it's always been great.
                      thanks for help. i've actually used that side for HJ logs and I think it has issues with server items. basically I get a handful of "this is not run from system32 folder" when the path clearly shows that it is. On all of those that state this they are clearly Windows Server items.

                      could you elaborate on 3rd party support for AVG? I only know of one forum and the owner deferred me to AVG corporate support for my inquiry on why the IP requests on port 80 are coming from avgadmsv.exe

                      Comment

                      Working...
                      X