Announcement

Collapse
No announcement yet.

VPS Hacked/Compromised.

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • IanSmithISA
    replied
    Good morning,

    I have just check my VPS to see if I was infected and I am not, (Hyper V-VPS Win 200.

    So its looks like you are one of the "lucky ones" and it is not on all of the servers, VPS or real.

    bye

    Ian

    Leave a comment:


  • sysadmin
    replied
    Hi,

    Indeed the VPS appears to be hacked/rootkit'd severely. As far as I know, there are no such known vulnerabilities in the current MS OS which would have caused a breakdown upto this level.

    Either the administrator password must have been compromised through which the hacker must have entered the VPS or a virus/trojan resulted into this backdoor.

    Please open up a ticket with our support dept so we can have this case investigated/studied properly & precautionary actions taken as necessary.

    A complete/clean reinstall is recommended at this stage.

    Leave a comment:


  • Simon.
    started a topic VPS Hacked/Compromised.

    VPS Hacked/Compromised.

    Hi.
    I just happened to be checking my services and found something that shouldn't be there, "Windows Boot Loader", referring to a file called bootwin.exe in System32.
    I checked the file using an online scanner, and it seemed to think it was a RootKit of some kind.
    I found this: http://www.threatexpert.com/report.aspx?md5=41f28d7b60522b02a45d8fab27080d03
    It seems to match all the files I found, which have the same date-created, Sunday, 31st January 2010, at 10:52 pm.

    The scariest of them all is a file called info.txt in C:\Windows\System32\ras\
    The contents is here:
    Code:
    =====================================================================
    			     Installation
    =====================================================================
    
    ---------------------------------------------------------------------
    			    Creating Service
    ---------------------------------------------------------------------
    [SC] CreateService SUCCESS
    [SC] ChangeServiceConfig2 SUCCESS
    [SC] ChangeServiceConfig2 SUCCESS
    
    ---------------------------------------------------------------------
    			Creating Service dependencies
    ---------------------------------------------------------------------
    [SC] ChangeServiceConfig SUCCESS
    [SC] ChangeServiceConfig SUCCESS
    [SC] ChangeServiceConfig SUCCESS
    [SC] ChangeServiceConfig SUCCESS
    [SC] ChangeServiceConfig SUCCESS
    
    ---------------------------------------------------------------------
    		       Enabling port @ Windows Firewall
    ---------------------------------------------------------------------
    
    ---------------------------------------------------------------------
    		          Installing rootkit loader
    ---------------------------------------------------------------------
    
    ---------------------------------------------------------------------
    		          Making Home Directories
    ---------------------------------------------------------------------
    
    ---------------------------------------------------------------------
    			    Starting Services
    ---------------------------------------------------------------------
    
    SERVICE_NAME: Inetsrv
            TYPE               : 10  WIN32_OWN_PROCESS 
            STATE              : 4  RUNNING 
                                    (NOT_STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
            WIN32_EXIT_CODE    : 0	(0x0)
            SERVICE_EXIT_CODE  : 0	(0x0)
            CHECKPOINT         : 0x0
            WAIT_HINT          : 0x0
    
    
    SERVICE_NAME: Winldr
            TYPE               : 10  WIN32_OWN_PROCESS 
            STATE              : 4  RUNNING 
                                    (NOT_STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
            WIN32_EXIT_CODE    : 0	(0x0)
            SERVICE_EXIT_CODE  : 0	(0x0)
            CHECKPOINT         : 0x0
            WAIT_HINT          : 0x0
    
    =====================================================================
    		        Local info from **COMPUTERNAME
    =====================================================================
    
    ---------------------------------------------------------------------
    			     Specifications
    ---------------------------------------------------------------------
    GetInfo v0.2 - Query system info and test bandwitdh
    Copyright (C) 2003-2004 sickness.
    Modded by Yorgi
    
    System info:
    Machine: \\**COMPUTERNAME running @ 2500 Mhz
    has been up for: 3 day(s), 15 hour(s), 36 minute(s),
    
    Running bandwidth test..........
    
    C:\ -> 2.9 GB free / 10.0 GB Total space
    Max Input stream : 11933KBps
    
    ---------------------------------------------------------------------
    				Lan view
    ---------------------------------------------------------------------
    
    ---------------------------------------------------------------------
    			       Admin Users
    ---------------------------------------------------------------------
    Alias name     Administrators
    Comment        Administrators have complete and unrestricted access to the computer/domain
    
    Members
    
    -------------------------------------------------------------------------------
    Administrator
    The command completed successfully.
    
    
    ---------------------------------------------------------------------
    				Hashes
    ---------------------------------------------------------------------
    
    pwhist v0.96b, Modified by [email protected]!G
    ----------------------------------------
    ******REMOVED: A LIST OF USERNAMES AND THE PASSWORD HASHES ON THE MACHINE*********
    
    ---------------------------------------------------------------------
    			   Deleting evidence...
    ---------------------------------------------------------------------
    There seems to be very little information about this Virus/Trojan/Whatever, other than it's quite recent.

    Most importantly, I have no idea how it got in. There are no relevant entries in any log, which makes me think it could be a vulnerability in Windows.
Working...
X