svchost exploit on ports 80, 443 &21

From: Alastair Smith (asmith_at_c-it.co.uk)
Date: 04/05/04


Date: 4 Apr 2004 15:20:52 -0700

Hi,

I have a customers server that has been hacked and I'm running out of
time on fixing the problem.

Each time the server starts up svchost.exe loads using ports 80, 443,
21 and a couple of others that it blatantly shouldn't - as you can
guess this stops any IIS services from running correctly.

When the users try to use features such as Outlook Web Access an
alternate page is displayed showing a large scull and starting with
the text "Hello dear FxPer!" and displaying a few statistics off the
server such as its uptime etc, it closes with a gloat from the hacker
stating the server was "hacked by a good hacker".

I can easily cure this by simply killing the instance of svchost.exe
that is occupying the ports I want then restarting the IIS sites, but
this always returns after a restart so it's getting a bit boring now.

The technical details of the server are as follows: -

Windows 2000 Small Business Server with SP4, Exchange 2000 SP3, IE6
sp1 and all other Microsoft critical updates.
McAfee Netshield.

Note: - At the time when the problem started the server was just
running SP3 with no other updates.

I have scanned the registry for any unusual programs running on
startup and can't see anything.
I have run several Trojan Scans and I have also run the Symantec fix
tool for the Welchia virus but nothing has been found.

Does anyone have any info on this problem ?

Any help is greatly appreciated, the hackers home address would be
even more appreciated! ;-)

Cheers
Alastair



Relevant Pages

  • Re: [Full-Disclosure] Severe exploit found, all UNIX are affected!
    ... > I get into the bank and start to look around and I poke and prod the box ... > and always lost his wallet because he wore those baggy hacker pants). ... > It seems that this black head hacker, named Charlie Root, has been busy ... > I looked into the front directory on my server and saw a folder called ...
    (Full-Disclosure)
  • Re: 2003 Web Server - Sicherheitsbedenken
    ... dass die Hauptgefahr nicht irgendwelche Top Hacker ... Er hat doch gar kein Interesse, sich irgend einen Server genauer anzusehen! ... Windows ist in meinen Augen sicherheitstechnisch nicht unbedingt ... Eine richtige Firewall ist etwas feines - und richtig heisst, ...
    (microsoft.public.de.german.windows.server.setup)
  • Re: Which one is the best encryption algorithm
    ... > thinking about storing the Key itself within the code-behind DLL. ... If there is a significant risk that the hacker might gain ... the server, ... to use symmetric encryption in the way you had in mind. ...
    (borland.public.delphi.non-technical)
  • Re: VPN server
    ... > I am just testing installing a test VPN server in win2k machine. ... It's hard to tell what a file does and what a hacker did with it from a file ... installing and running an antivirus program might help as well. ... Installing Sygate firewall and running fprot from foundstone.com might also ...
    (microsoft.public.win2000.security)
  • Re: VPN server
    ... I found out there is a App name FTPasp installed in my test server by the ... The FTP server IP ... >>> hacker to get past your firewall and onto your regular network. ... >>> Installing Sygate firewall and running fprot from foundstone.com might ...
    (microsoft.public.win2000.security)