A
Aaron Johnson
I have a 2000 server system that was compromised recently. I found
the files "mswam.exe" which had a listing in services something like
"Microsoft Windows Access Manager" but the manufacturer was "Unknown"
in msconfig (in case you didn't know, you can get msconfig for
win2000). I also found nvsvc.exe, nvsvc32.dll, radmin.reg,
regedit.exe, and startRA.bat in my system32 dir, all with dates of
5/19/2004. There was also a folder called ntmsdata. That folder
apparently has something to do with nt backup, which I don't use.
This computer does NOT have an nvidia display card or driver
installed. I killed the service and removed the files. McAfee listed
nvsvc.exe as a worm (see http://vil.nai.com/vil/content/v_100785.htm)
that gets in through some vunerabilities that there are patches for,
so I ran windows update. It identified several critical updates, so I
told it to install them, and it promptly failed. Here's one of the
error messages from the log:
2004-06-16 17:22:06 00:22:06 Error IUENGINE Install
couldn't get Item Q837009_OE6_SP1 Download Path (Error 0x80004005:
Unspecified error)
I looked at the C drive (theres only 1 partition), and I did not see
the WUTemp directory. I am showing all hidden files and all protected
operating system files, and it isn't listed. Fine, I'll make one. I
got the error "Folder name already exists". I ran a dos prompt, went
to the root of C: and did a directory. No WUTemp listed. I typed "cd
wutemp" and was in the directory just fine. I used another computer
to browse the administrative share C$ and it saw WUTemp just fine. I
renamed it WUTemp2. All of a sudden the folder appears to the first
computer. I rename it back to WUTemp and it disappears off the
screen! So I delete it. Re-run windows update. Same problem. I
look using the remote computer and WUTemp is back. I use XCACLS to
make sure the permissions are set to Everyone and All access. Doesn't
help. Even tried renaming it to WUTemp2 (which made the folder appear
again) and re-running windows update. It failed again and made
another WUTemp folder that is invisible to the OS.
At this point I'm thinking that someone hacked the system to prevent
the WUTemp dir from being visible so I couldn't patch to block access.
I printed out the patch list from windows update, manually downloaded
all the ones that pertained to this sort of vunerability and installed
them. I still can't use windows update though because WUTemp won't
appear to the OS.
Anyone have any suggestions?
Oh, I also tried deleting everyting in the program files\windows
update folder. No luck.
Thanks in advance,
Aaron
the files "mswam.exe" which had a listing in services something like
"Microsoft Windows Access Manager" but the manufacturer was "Unknown"
in msconfig (in case you didn't know, you can get msconfig for
win2000). I also found nvsvc.exe, nvsvc32.dll, radmin.reg,
regedit.exe, and startRA.bat in my system32 dir, all with dates of
5/19/2004. There was also a folder called ntmsdata. That folder
apparently has something to do with nt backup, which I don't use.
This computer does NOT have an nvidia display card or driver
installed. I killed the service and removed the files. McAfee listed
nvsvc.exe as a worm (see http://vil.nai.com/vil/content/v_100785.htm)
that gets in through some vunerabilities that there are patches for,
so I ran windows update. It identified several critical updates, so I
told it to install them, and it promptly failed. Here's one of the
error messages from the log:
2004-06-16 17:22:06 00:22:06 Error IUENGINE Install
couldn't get Item Q837009_OE6_SP1 Download Path (Error 0x80004005:
Unspecified error)
I looked at the C drive (theres only 1 partition), and I did not see
the WUTemp directory. I am showing all hidden files and all protected
operating system files, and it isn't listed. Fine, I'll make one. I
got the error "Folder name already exists". I ran a dos prompt, went
to the root of C: and did a directory. No WUTemp listed. I typed "cd
wutemp" and was in the directory just fine. I used another computer
to browse the administrative share C$ and it saw WUTemp just fine. I
renamed it WUTemp2. All of a sudden the folder appears to the first
computer. I rename it back to WUTemp and it disappears off the
screen! So I delete it. Re-run windows update. Same problem. I
look using the remote computer and WUTemp is back. I use XCACLS to
make sure the permissions are set to Everyone and All access. Doesn't
help. Even tried renaming it to WUTemp2 (which made the folder appear
again) and re-running windows update. It failed again and made
another WUTemp folder that is invisible to the OS.
At this point I'm thinking that someone hacked the system to prevent
the WUTemp dir from being visible so I couldn't patch to block access.
I printed out the patch list from windows update, manually downloaded
all the ones that pertained to this sort of vunerability and installed
them. I still can't use windows update though because WUTemp won't
appear to the OS.
Anyone have any suggestions?
Oh, I also tried deleting everyting in the program files\windows
update folder. No luck.
Thanks in advance,
Aaron