Compromised Web Server? Anybody recognize?

Compromised Web Server? Anybody recognize?

am 08.01.2008 19:09:00 von JohnKotuby

Hi all,
We lease a non-managed Web Server running AV software but no IDS. It is
Windows 2003 STD which receives automatic nightly Windows Security patches at
3AM.

When I logged into the RDP console on Monday I saw what looked like a
Password Cracking software running with the name at the top of the window
E-Security. It looks like it had gone through 69,914,496 permutations already.

I went into Task Manager and killed a program I did not recognize
netman24.exe. I killed it and also saw about 12 instances of
CheckingThread.exe disappear.

I did not want to click the Close button in the program because who know
what that might have done.

Looking in Services, right under Network Connections there were 3 other
similar services all claiming to be Microsoft.
Network Connections 24
Network Connections 32
Network Connections 64

Doing a search on Microsoft for netman24.exe brought up nothing.
Doing a similar search on Google brought up nothing.
Same for Symantec.

I changed the Startup Option on Network Connections 24 from Automatic to
Manual. I have not gotten rid of those services or programs yet in case they
are valid.

Maybe the connection between netman24.exe being killed and
CheckingThread.exe instances disappearing was coincidental but I don't think
so.

I can't get to the Windows 2003 Server newsgroup from within MSDN, so I am
posting here first.

Anyone else seen anything like this or recognize these programs as valid?

Thanks for any input...

--
"Building a better mouse trap doesn''''t necessarily make it better for the
mouse."

RE: Compromised Web Server? Anybody recognize?

am 08.01.2008 21:11:03 von MohamadElarabiMCPD

FYI, This isn't exactly the group for this.

I would search the local drives for the files first and see what folder
structure are they located. In the same folder you can find more info
regarding that exe. You can alos get meta info from the executable about who
made it etc.

You should take a restore point before any of this just in case you mess up.

If you determine that this applicaiton is malicious and you don't want it.
Do not uninstall it from the add/remove programs if it is there. Some malware
will install a differently named version of the same app if you try
uninstalling it. To get rid of it try renaming the folder. Then search the
registry for the filename.exe and see what it got itself into. At this point
you really need to know what you're doing. You might want to write down the
keys you found it in or back it up via the Export feature in Regedit. You
will then need to reboot and check your running processes again.


--
Mohamad Elarabi
MCP, MCTS, MCPD.


"John Kotuby" wrote:

> Hi all,
> We lease a non-managed Web Server running AV software but no IDS. It is
> Windows 2003 STD which receives automatic nightly Windows Security patches at
> 3AM.
>
> When I logged into the RDP console on Monday I saw what looked like a
> Password Cracking software running with the name at the top of the window
> E-Security. It looks like it had gone through 69,914,496 permutations already.
>
> I went into Task Manager and killed a program I did not recognize
> netman24.exe. I killed it and also saw about 12 instances of
> CheckingThread.exe disappear.
>
> I did not want to click the Close button in the program because who know
> what that might have done.
>
> Looking in Services, right under Network Connections there were 3 other
> similar services all claiming to be Microsoft.
> Network Connections 24
> Network Connections 32
> Network Connections 64
>
> Doing a search on Microsoft for netman24.exe brought up nothing.
> Doing a similar search on Google brought up nothing.
> Same for Symantec.
>
> I changed the Startup Option on Network Connections 24 from Automatic to
> Manual. I have not gotten rid of those services or programs yet in case they
> are valid.
>
> Maybe the connection between netman24.exe being killed and
> CheckingThread.exe instances disappearing was coincidental but I don't think
> so.
>
> I can't get to the Windows 2003 Server newsgroup from within MSDN, so I am
> posting here first.
>
> Anyone else seen anything like this or recognize these programs as valid?
>
> Thanks for any input...
>
> --
> "Building a better mouse trap doesn''''t necessarily make it better for the
> mouse."

Re: Compromised Web Server? Anybody recognize?

am 08.01.2008 21:52:38 von LVP

Component Name: Netman.exe

Description of Netman.exe
This is a component of NetMan Enterprise. NetMan Enterprise is network
administration software. It monitors actions on each PC on your network and
alerts the Administrator if the PC is used for a function that violates
standard procedures.

Recommendation for Netman.exe N/A


Trusted: Yes
Trojan: No
Chronic: No
Adware: No
Carrier: No
Browser Hijacker: No
Dialer: No
Commercial Keylogger: No
Remote Administration Tool: No
Suspected: No

Company Name: Accord Software and Systems Inc.
Platforms Affected:
Methods of Distribution: .
Variants/Versions:
Release Date: .

I don't thing automated updates on a server is a smart thing to do.

netmanXX.exe may not be a virus, but could be a virus disguised as a
system-network type file.


Are you in full control of this server, or leased remotely. if leased
remotely then the check with the Remote Sys-Admin.



LVP











"John Kotuby" wrote in message
news:2630043C-1CD2-47A6-90AE-A44B76A928B1@microsoft.com...
> Hi all,
> We lease a non-managed Web Server running AV software but no IDS. It is
> Windows 2003 STD which receives automatic nightly Windows Security patches
> at
> 3AM.
>
> When I logged into the RDP console on Monday I saw what looked like a
> Password Cracking software running with the name at the top of the window
> E-Security. It looks like it had gone through 69,914,496 permutations
> already.
>
> I went into Task Manager and killed a program I did not recognize
> netman24.exe. I killed it and also saw about 12 instances of
> CheckingThread.exe disappear.
>
> I did not want to click the Close button in the program because who know
> what that might have done.
>
> Looking in Services, right under Network Connections there were 3 other
> similar services all claiming to be Microsoft.
> Network Connections 24
> Network Connections 32
> Network Connections 64
>
> Doing a search on Microsoft for netman24.exe brought up nothing.
> Doing a similar search on Google brought up nothing.
> Same for Symantec.
>
> I changed the Startup Option on Network Connections 24 from Automatic to
> Manual. I have not gotten rid of those services or programs yet in case
> they
> are valid.
>
> Maybe the connection between netman24.exe being killed and
> CheckingThread.exe instances disappearing was coincidental but I don't
> think
> so.
>
> I can't get to the Windows 2003 Server newsgroup from within MSDN, so I am
> posting here first.
>
> Anyone else seen anything like this or recognize these programs as valid?
>
> Thanks for any input...
>
> --
> "Building a better mouse trap doesn''''t necessarily make it better for
> the
> mouse."

Re: Compromised Web Server? Anybody recognize?

am 08.01.2008 21:53:40 von LVP

Your PC may be infected. The presence of NETMAN.EXE is a common symptom of
infection.
We suggest you thoroughly check your PC as soon as possible. Prevx CSI will
check your PC and quickly detect malicious software like NETMAN.EXE and
millions of other bad programs. It is totally free and takes less than 2
minutes to run. To scan your PC now click the green Scan Now button on the
left.





"John Kotuby" wrote in message
news:2630043C-1CD2-47A6-90AE-A44B76A928B1@microsoft.com...
> Hi all,
> We lease a non-managed Web Server running AV software but no IDS. It is
> Windows 2003 STD which receives automatic nightly Windows Security patches
> at
> 3AM.
>
> When I logged into the RDP console on Monday I saw what looked like a
> Password Cracking software running with the name at the top of the window
> E-Security. It looks like it had gone through 69,914,496 permutations
> already.
>
> I went into Task Manager and killed a program I did not recognize
> netman24.exe. I killed it and also saw about 12 instances of
> CheckingThread.exe disappear.
>
> I did not want to click the Close button in the program because who know
> what that might have done.
>
> Looking in Services, right under Network Connections there were 3 other
> similar services all claiming to be Microsoft.
> Network Connections 24
> Network Connections 32
> Network Connections 64
>
> Doing a search on Microsoft for netman24.exe brought up nothing.
> Doing a similar search on Google brought up nothing.
> Same for Symantec.
>
> I changed the Startup Option on Network Connections 24 from Automatic to
> Manual. I have not gotten rid of those services or programs yet in case
> they
> are valid.
>
> Maybe the connection between netman24.exe being killed and
> CheckingThread.exe instances disappearing was coincidental but I don't
> think
> so.
>
> I can't get to the Windows 2003 Server newsgroup from within MSDN, so I am
> posting here first.
>
> Anyone else seen anything like this or recognize these programs as valid?
>
> Thanks for any input...
>
> --
> "Building a better mouse trap doesn''''t necessarily make it better for
> the
> mouse."

Re: Compromised Web Server? Anybody recognize?

am 08.01.2008 22:23:05 von JohnKotuby

Thanks for the input LVP--

"LVP" wrote in message
news:OcYQNijUIHA.5132@TK2MSFTNGP02.phx.gbl...
> Your PC may be infected. The presence of NETMAN.EXE is a common symptom of
> infection.
> We suggest you thoroughly check your PC as soon as possible. Prevx CSI
> will check your PC and quickly detect malicious software like NETMAN.EXE
> and millions of other bad programs. It is totally free and takes less than
> 2 minutes to run. To scan your PC now click the green Scan Now button on
> the left.
>
>
>
>
>
> "John Kotuby" wrote in message
> news:2630043C-1CD2-47A6-90AE-A44B76A928B1@microsoft.com...
>> Hi all,
>> We lease a non-managed Web Server running AV software but no IDS. It is
>> Windows 2003 STD which receives automatic nightly Windows Security
>> patches at
>> 3AM.
>>
>> When I logged into the RDP console on Monday I saw what looked like a
>> Password Cracking software running with the name at the top of the window
>> E-Security. It looks like it had gone through 69,914,496 permutations
>> already.
>>
>> I went into Task Manager and killed a program I did not recognize
>> netman24.exe. I killed it and also saw about 12 instances of
>> CheckingThread.exe disappear.
>>
>> I did not want to click the Close button in the program because who know
>> what that might have done.
>>
>> Looking in Services, right under Network Connections there were 3 other
>> similar services all claiming to be Microsoft.
>> Network Connections 24
>> Network Connections 32
>> Network Connections 64
>>
>> Doing a search on Microsoft for netman24.exe brought up nothing.
>> Doing a similar search on Google brought up nothing.
>> Same for Symantec.
>>
>> I changed the Startup Option on Network Connections 24 from Automatic to
>> Manual. I have not gotten rid of those services or programs yet in case
>> they
>> are valid.
>>
>> Maybe the connection between netman24.exe being killed and
>> CheckingThread.exe instances disappearing was coincidental but I don't
>> think
>> so.
>>
>> I can't get to the Windows 2003 Server newsgroup from within MSDN, so I
>> am
>> posting here first.
>>
>> Anyone else seen anything like this or recognize these programs as valid?
>>
>> Thanks for any input...
>>
>> --
>> "Building a better mouse trap doesn''''t necessarily make it better for
>> the
>> mouse."
>
>

Re: Compromised Web Server? Anybody recognize?

am 08.01.2008 22:24:52 von JohnKotuby

Thanks Mohamad...

Yes, a Windows Server Security group would be a better bet. I was just
wondering if anyone else has seen these things whether valid or malware
elswhere.

"Mohamad Elarabi [MCPD]"
wrote in message news:1613D1E0-2003-4F7F-8308-EB7948C6027C@microsoft.com...
> FYI, This isn't exactly the group for this.
>
> I would search the local drives for the files first and see what folder
> structure are they located. In the same folder you can find more info
> regarding that exe. You can alos get meta info from the executable about
> who
> made it etc.
>
> You should take a restore point before any of this just in case you mess
> up.
>
> If you determine that this applicaiton is malicious and you don't want it.
> Do not uninstall it from the add/remove programs if it is there. Some
> malware
> will install a differently named version of the same app if you try
> uninstalling it. To get rid of it try renaming the folder. Then search the
> registry for the filename.exe and see what it got itself into. At this
> point
> you really need to know what you're doing. You might want to write down
> the
> keys you found it in or back it up via the Export feature in Regedit. You
> will then need to reboot and check your running processes again.
>
>
> --
> Mohamad Elarabi
> MCP, MCTS, MCPD.
>
>
> "John Kotuby" wrote:
>
>> Hi all,
>> We lease a non-managed Web Server running AV software but no IDS. It is
>> Windows 2003 STD which receives automatic nightly Windows Security
>> patches at
>> 3AM.
>>
>> When I logged into the RDP console on Monday I saw what looked like a
>> Password Cracking software running with the name at the top of the window
>> E-Security. It looks like it had gone through 69,914,496 permutations
>> already.
>>
>> I went into Task Manager and killed a program I did not recognize
>> netman24.exe. I killed it and also saw about 12 instances of
>> CheckingThread.exe disappear.
>>
>> I did not want to click the Close button in the program because who know
>> what that might have done.
>>
>> Looking in Services, right under Network Connections there were 3 other
>> similar services all claiming to be Microsoft.
>> Network Connections 24
>> Network Connections 32
>> Network Connections 64
>>
>> Doing a search on Microsoft for netman24.exe brought up nothing.
>> Doing a similar search on Google brought up nothing.
>> Same for Symantec.
>>
>> I changed the Startup Option on Network Connections 24 from Automatic to
>> Manual. I have not gotten rid of those services or programs yet in case
>> they
>> are valid.
>>
>> Maybe the connection between netman24.exe being killed and
>> CheckingThread.exe instances disappearing was coincidental but I don't
>> think
>> so.
>>
>> I can't get to the Windows 2003 Server newsgroup from within MSDN, so I
>> am
>> posting here first.
>>
>> Anyone else seen anything like this or recognize these programs as valid?
>>
>> Thanks for any input...
>>
>> --
>> "Building a better mouse trap doesn''''t necessarily make it better for
>> the
>> mouse."