Announcement

Collapse
No announcement yet.

VPS Hacked/Compromised.

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    VPS Hacked/Compromised.

    Hi.
    I just happened to be checking my services and found something that shouldn't be there, "Windows Boot Loader", referring to a file called bootwin.exe in System32.
    I checked the file using an online scanner, and it seemed to think it was a RootKit of some kind.
    I found this: http://www.threatexpert.com/report.aspx?md5=41f28d7b60522b02a45d8fab27080d03
    It seems to match all the files I found, which have the same date-created, Sunday, 31st January 2010, at 10:52 pm.

    The scariest of them all is a file called info.txt in C:\Windows\System32\ras\
    The contents is here:
    Code:
    =====================================================================
			     Installation
=====================================================================

---------------------------------------------------------------------
			    Creating Service
---------------------------------------------------------------------
[SC] CreateService SUCCESS
[SC] ChangeServiceConfig2 SUCCESS
[SC] ChangeServiceConfig2 SUCCESS

---------------------------------------------------------------------
			Creating Service dependencies
---------------------------------------------------------------------
[SC] ChangeServiceConfig SUCCESS
[SC] ChangeServiceConfig SUCCESS
[SC] ChangeServiceConfig SUCCESS
[SC] ChangeServiceConfig SUCCESS
[SC] ChangeServiceConfig SUCCESS

---------------------------------------------------------------------
		       Enabling port @ Windows Firewall
---------------------------------------------------------------------

---------------------------------------------------------------------
		          Installing rootkit loader
---------------------------------------------------------------------

---------------------------------------------------------------------
		          Making Home Directories
---------------------------------------------------------------------

---------------------------------------------------------------------
			    Starting Services
---------------------------------------------------------------------

SERVICE_NAME: Inetsrv
        TYPE               : 10  WIN32_OWN_PROCESS 
        STATE              : 4  RUNNING 
                                (NOT_STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0	(0x0)
        SERVICE_EXIT_CODE  : 0	(0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0


SERVICE_NAME: Winldr
        TYPE               : 10  WIN32_OWN_PROCESS 
        STATE              : 4  RUNNING 
                                (NOT_STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0	(0x0)
        SERVICE_EXIT_CODE  : 0	(0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

=====================================================================
		        Local info from **COMPUTERNAME
=====================================================================

---------------------------------------------------------------------
			     Specifications
---------------------------------------------------------------------
GetInfo v0.2 - Query system info and test bandwitdh
Copyright (C) 2003-2004 sickness.
Modded by Yorgi

System info:
Machine: \\**COMPUTERNAME running @ 2500 Mhz
has been up for: 3 day(s), 15 hour(s), 36 minute(s),

Running bandwidth test..........

C:\ -> 2.9 GB free / 10.0 GB Total space
Max Input stream : 11933KBps

---------------------------------------------------------------------
				Lan view
---------------------------------------------------------------------

---------------------------------------------------------------------
			       Admin Users
---------------------------------------------------------------------
Alias name     Administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
The command completed successfully.


---------------------------------------------------------------------
				Hashes
---------------------------------------------------------------------

pwhist v0.96b, Modified by Yorgi@VoCHT!G
----------------------------------------
******REMOVED: A LIST OF USERNAMES AND THE PASSWORD HASHES ON THE MACHINE*********

---------------------------------------------------------------------
			   Deleting evidence...
---------------------------------------------------------------------
    There seems to be very little information about this Virus/Trojan/Whatever, other than it's quite recent.

    Most importantly, I have no idea how it got in. There are no relevant entries in any log, which makes me think it could be a vulnerability in Windows.
    Tags: None
  • #2
    Hi,

    Indeed the VPS appears to be hacked/rootkit'd severely. As far as I know, there are no such known vulnerabilities in the current MS OS which would have caused a breakdown upto this level.

    Either the administrator password must have been compromised through which the hacker must have entered the VPS or a virus/trojan resulted into this backdoor.

    Please open up a ticket with our support dept so we can have this case investigated/studied properly & precautionary actions taken as necessary.

    A complete/clean reinstall is recommended at this stage.
    Kind regards,
    Jack Daniel.

    Cloud Hosting || Managed Dedicated Server || Webhosting UK Knowledgebase

    Comment

    • #3
      Good morning,

      I have just check my VPS to see if I was infected and I am not, (Hyper V-VPS Win 200.

      So its looks like you are one of the "lucky ones" and it is not on all of the servers, VPS or real.

      bye

      Ian
      Forums are about debating pleasantly not agreeing.

      Comment

      Previous template Next
      Working...
      X