Re: svchost exploit on ports 80, 443 &21

From: Duane Arnold (notme_at_notme.com)
Date: 04/05/04


Date: Sun, 04 Apr 2004 23:19:05 GMT


"Alastair Smith" <asmith@c-it.co.uk> wrote in message
news:a84041bd.0404041420.aef4ff1@posting.google.com...
> Hi,
>
> I have a customers server that has been hacked and I'm running out of
> time on fixing the problem.
>
> Each time the server starts up svchost.exe loads using ports 80, 443,
> 21 and a couple of others that it blatantly shouldn't - as you can
> guess this stops any IIS services from running correctly.
>
> When the users try to use features such as Outlook Web Access an
> alternate page is displayed showing a large scull and starting with
> the text "Hello dear FxPer!" and displaying a few statistics off the
> server such as its uptime etc, it closes with a gloat from the hacker
> stating the server was "hacked by a good hacker".
>
> I can easily cure this by simply killing the instance of svchost.exe
> that is occupying the ports I want then restarting the IIS sites, but
> this always returns after a restart so it's getting a bit boring now.
>
> The technical details of the server are as follows: -
>
> Windows 2000 Small Business Server with SP4, Exchange 2000 SP3, IE6
> sp1 and all other Microsoft critical updates.
> McAfee Netshield.
>
> Note: - At the time when the problem started the server was just
> running SP3 with no other updates.
>
> I have scanned the registry for any unusual programs running on
> startup and can't see anything.
> I have run several Trojan Scans and I have also run the Symantec fix
> tool for the Welchia virus but nothing has been found.
>
> Does anyone have any info on this problem ?
>
> Any help is greatly appreciated, the hackers home address would be
> even more appreciated! ;-)

You may have to go find it yourself with some additional tools.

You may want to use Process Explorer and start looking inside of the
svchost.exe and see what programs/processes are using the svchost.exe in
question.You may be able to pinpoint what's running that's doing it.

http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_and_Rootkit_Tools_in_a_Windows_Environment.html

You may also want to investigate dllhost.exe as well.

Of course, if svchost.exe and dllhost.exe are not running out of the
System32 directory, then they are Trojans.

Have you done anything along the lines of securing *hardening* IIS and the
O/S from attack?

Duane :)