Set up DNS elsewhere, given how light it is and relatively
easy to set up. Then shut down DNS on your mailserver; it may be that the
malware is trying to communicate on port 53, as this is so often an easy way to
get through firewalls that are only doing port filtering.
Use "netstat -b" from the command line if you
have Windows Server 2003 (or Windows XP for that matter) and that will show
you any executables that are listening and on which ports. On Windows 2000
use fport.exe from http://www.foundstone.com to do the
same.
Use pskill.exe from http://www.sysinternals.com (part of the
pstools collection) to kill processes by name or pid (including children) that
Task Manager won't kill.
If that's not working for you, start in Safe Mode check for
and try to kill any processes that look out of place and delete the registry
entries.
It
certainly sounds like you have more than one infection. I'd advise you to
use the Advanced tools in Microsoft AntiSpyware beta to examine all the startup
locations and look for extras that you can't verify.
Aside from setting up temporary DNS, you just might need
a backup plan. Figure out how much more time you want to devote to cleanup
before you will rebuild. Make sure that time is before you *need* to
rebuild so that you allow yourself enough downtime for the
rebuild!
Andrew 8)
At 07:50 PM 8/21/2005, Colbeck, Andrew wrote:
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Orin Wells
Sent: Sunday, August 21, 2005 9:45 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] OT - Losing DNS connectivity
Orin, you've probably already licked the problem by now,
Not certain. For all of Saturday and most of today we couldn't keep the DNS link for more than an hour. I am crossing my fingers right now as we are into the second hour here. I am not ready to celebrate. We did throw about every tool we could find at the problem. It is amazing how many one will see that the other skip right over. What I don't know is how some of them seem to continue to infect after they are cleared. But the logs are starting to look "normal" again.
but I'll point out that since you posted this, there have been other reports of this infection,
I tried to find any and was not successful. The only one I found didn't seem relevant. As with all searches you have to know the right question to ask to get the good hits. Maybe I didn't.
and just as all roads lead to Rome, all Google searches lead to:
http://www.sophos.com/virusinfo/analyses/w32tilebotj.html
Yes, that sounds like one of the buggers. Found Aug 18th would explain how none of the tools I have used saw it other than NetShield but it never got rid of it entirely. In fact, it is still there.
The upshot being that you either got the infection before you patched against the P2P vulnerability,
I think this is it.
or someone else on your network has been trojaned and the bot was instructed to infect your computer(s) via NT shares with a weak password.
The Advanced page on that Sophos link will be handy, as it shows what registry settings the bot was has likely mucked with on your server.
When it is "running" (orans) you can't get rid of these things.
Luckily for you, it seems that orans.sys never got a foothold, as that is the module that would act as the backdoor for the "new 0wner".
No foothold, but I can't seem to eradicate it yet. I will keep at it until I find something that does it.
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Andrew 8)
- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Orin Wells
- Sent: Saturday, August 20, 2005 8:12 PM
- To: [EMAIL PROTECTED]
- Subject: [Declude.JunkMail] OT - Losing DNS connectivity
- I am hoping one of you wise folks can give me a clue what to do about a problem we are experiencing. A couple of days ago I discovered that our server with iMail and Declude was not delivering email outside the server. This was revealed by the typical "unable to deliver after 20 tries". When I looked into it I discovered that it was unable to resolve Domain names within Internet Explorer if I tried to check that and when I went to nslookup it would not display the DNS entries for any of our domains although it "thought" it was connecting to the dns servers. In addition I would receive a "connection failed" when I tried to use an FTP connection.
- Reboot resolved this for a bit Then it came back - always the same.
- A bit of sequential (more or less) history.
- I had not defragged our server for a bit and this led to the first system reboot for several months. I defragged but the system was still a bit unstable and acting funny. This was the point last week when everyone was panicking about the new worms so we updated with the latest Microsoft updates (Windows 2000 we are running Service Pack 4).
- In looking at the system I recognized some spyware. I installed the Microsoft anti-sypware Beta Sure enough it found several buggers that had somehow gotten into the system. Apparently they didn't activate until we rebooted the first time. I have no idea how they got on the server because it is not "generally" used for browsing and only three of us have access to do it in the first place.
- In looking at the system logs I see where there is a file orans.sys the keeps getting nailed by McAfee's Netshield. I noticed in the last reboot today the following "The orans service failed to start due to the following error: Access is denied." coming from the Service Control Manager. I haven't yet found this in the Registery so I don't know how it is being kicked. Even though NetShield is "deleting it" t seems to keep coming back and I have yet to figure out how. It is in winnt/system32 with a size of 0 and I am unable to really delete it.
- Also in the log is an entry from time to time "The server was unable to find a free connection 1 times in the last 60 seconds" - sometimes it is more than 1 time. This seems to be intermittent. I suppose it is possible this could lead to a DNS loss, but if I try to use ipconfig/registerdns it accomplishes nothing. The server farm seems uninterested in the possibility we may have a flaky network card, cable or switch. They looked at the computer and saw some extra exe files and since "every one" of their email servers had experienced attacks of various nature and they said iMail was especially hammered, they wanted to blame intrusions. I have deleted everything I could find that didn't belong on the server and will probably run a couple of scan packages (suggestions welcome). But at this point I am bewildered.
- I have been unable to find anyone else in any of the forums (imail and declude) or through Google who appears to have encountered this - especially recently,
- Any suggestions on what to do would be most welcome.
- I will have to reboot the server in order to get the DNS connected long enough to get outgoing email kicked out and this delivered. I know of no other way to re-attach the DNS servers. Any thoughts on that?
- There are times I really hate fooling with servers.
- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
