svchost exploit on ports 80, 443 &21
From: Alastair Smith (asmith_at_c-it.co.uk)
Date: 4 Apr 2004 15:20:52 -0700
I have a customers server that has been hacked and I'm running out of
time on fixing the problem.
Each time the server starts up svchost.exe loads using ports 80, 443,
21 and a couple of others that it blatantly shouldn't - as you can
guess this stops any IIS services from running correctly.
When the users try to use features such as Outlook Web Access an
alternate page is displayed showing a large scull and starting with
the text "Hello dear FxPer!" and displaying a few statistics off the
server such as its uptime etc, it closes with a gloat from the hacker
stating the server was "hacked by a good hacker".
I can easily cure this by simply killing the instance of svchost.exe
that is occupying the ports I want then restarting the IIS sites, but
this always returns after a restart so it's getting a bit boring now.
The technical details of the server are as follows: -
Windows 2000 Small Business Server with SP4, Exchange 2000 SP3, IE6
sp1 and all other Microsoft critical updates.
Note: - At the time when the problem started the server was just
running SP3 with no other updates.
I have scanned the registry for any unusual programs running on
startup and can't see anything.
I have run several Trojan Scans and I have also run the Symantec fix
tool for the Welchia virus but nothing has been found.
Does anyone have any info on this problem ?
Any help is greatly appreciated, the hackers home address would be
even more appreciated! ;-)