Windows 2008r2 Problems

[AWS]

I have a dev server with Windows 2008R2 as OS. I keep it updated with latest patches and fixes Microsoft releases. It's only use is for data backup, testing web apps and software updates before I update live sites. The other day I logged into the server to rotate the backups to the NAS as I always do. When I was at the log in screen I noticed a new user called admin which I didn't create. After I logged in I noticed Winrar was installed. I never install any software on any server that other than what is needed to run websites and on this server I also have Visual Studio installed for development.

Red flags went up. I uninstalled Winrar, removed the admin user and isolated the server from the rest of the network. I have been monitoring the server since Friday and noticed a lot of inbound activity on various ports. I also noticed that another user was created with admin rights. The user was ASPNET. This user was also able to log in with RDP. As with all my servers the security policy for remote remote access is set up for only secure access and only to my workstation IP which is an internal 172.16.x.x IP. Access from WAN is prohibited. After investigating I found that that somehow this new admin user had accessed secpol and turned off the firewall and set all access policies to default. At this point I took the server off the network completely.

I would say the server is infected with something and while I was planning an OS upgrade to Windows 20012R2 I would like to know what it is infected with and what the attack vector was. This server is not used for anything except what I stated. I am the only one to access it. How this could have happened is beyond me.

In any I'd like to know what's going on.

 

[Rich-M]

Wow I would feel totally violated if something like that happened to me. Lets hope whoever this is isn't on any of your other servers. You need to seriously sweep all your servers with a really good security software for this. I would try Nod32 Endpoint server version as it sounds like there is a keylogger somewhere Bob and just taking the server off line may not stop this. Server environment is one place I would not even debate the best possible security software. BTW I would really chill with server 2012 while I have no personal experience with it, I have some pro friends who bitch endlessly about that upgrade and all of them went back to 2008R2.

 

[allheart55 (Cindy E)]

This definitely sounds like a call for Pete or Gene.

 

[AWS]

I'm anal about the way I secure my servers. I have specific secpool rules which locks down access. I am the only one that can access any of my servers remotely and only when I'm on the network. I also run Malwarebytes Pro for business and NOD32 for enterprise. This is what's baffling me. The 2 live servers are fine. After this happened I did a full audit on the 2 main servers. All clean. The only difference is the one that evidently was hacked is running Windows 2008R2 and the others are running Windows 2012R2. I wonder if there is some zero day exploit in the wild.

 

[Rich-M]

Well that sounds better and you could not be better protected. I would believe you are that careful but I think Cindy is right, I would get Pete involved here and their knowledge is more current than ours normally.

 

[starbuck]

To be honest i have no idea what tools will run on Windows 2008R2.
I will have to check this out.
I would have agreed with Rich about suggesting Eset Enterprise..... but i see you already run this.
I'll try and find out what tools are compatible.

 

[AWS]

I ran ESET online scanner while in safe mode and it found the server was infected by Win32:Hupigon. It said it cleaned it and to reboot. I then rebooted in safe mode again and ran the online scanner. All was clean. I then ran malwarebytes in safe mode and ESET again. All clean. I am still seeing a lot of incoming requests to port 80 being blocked by malwarebytes. This is understandable as I see this on my other servers as well although not on the scale this was happening. The IPs being blocked on the other servers are from spambots and xrumer a forum posting bot.

Looking through the old mbam logs it looks like the initial infection happened on July 29TH. There were incoming requests to rejoice.exe and successful log ins to the server when I looked at the security events. Looking at install logs it looks like winrar was installed to compress all the files on the server. There was also a spike in download bandwidth used on that day so it looks like all the data was stolen. Lucky for me I just rotated the backups the day before. I am unsure why this wasn't caught by eset or mbam. I also don't how they got in.

In any case I still have my reservations as to whether this server is clean. Before I format to install Windows 2012 I want to know for sure it's clean and even though I doubt I'll ever know I'd like to know how they got in.

Pete any help you can give me would be appreciated.

 

[starbuck]

Have found out that OTL will run on 2008r2, but am waiting on Farbar to get back to me as to whether FRST will run.
Obviously FRST is a lot more up to date, so that would be the first choice.
Am i correct in thinking that 2008r2 is more or less Win7 ?

 

[AWS]

Yes. They were both built on same kernel.

 

[starbuck]

it found the server was infected by Win32:Hupigon.

Just done a quick check, that's not good.

This family of backdoor trojans can steal your personal information, such as your online user names and passwords. They can also give a malicious hacker access and control of your PC.

Being a Server, you may be best to go for a reformat/reinstall.

 

[Rich-M]

Well obviously then that is what happened. I think Pete is saying run Kill Disk or something like that, not just reformat and reinstall Server. If he isn't let me suggest that Bob as that should remove any trace of this as that also removes the boot sector and does a low level format.

 

[starbuck]

I bow to your knowledge on servers Rich . . Servers are something I have zero knowledge of to be honest.
Maybe Gene is experienced in this field.

 

[allheart55 (Cindy E)]

I agree, I would definitely run KillDisk before you do a clean install.

 

[AWS]

I'm actually retiring this server. I would really like to investigate further before I tear it down. I don't know how the attack happened and this is troubling. If it happened to a computer that is rarely used then it can happen to any PC. I don't ever log in to the actual server. I always log in via RDP. As far as stealing any info I don't have any personal info on it nor do I use it as a PC.