Infection/malware on Server 2008 – Requested by Oh My!

Amora R Jelo

Good day folks, and thank you to Gary (Oh My!) for your assistance.   This topic is a follow on to handle a different machine in the same group.   This concerns the Windows Server 2008R2 machine (yes, I know, old).   All servers and workstations use WebRoot for anti-virus.  […]

Good day folks, and thank you to Gary (Oh My!) for your assistance.

 

This topic is a follow on to handle a different machine in the same group.

 

This concerns the Windows Server 2008R2 machine (yes, I know, old).

 

All servers and workstations use WebRoot for anti-virus.  All workstations on site are Windows 10, with one exception (the user had dallied for a long time on upgrading).

 

About 10 days ago, that one non-Windows 10 machine, which still runs Windows 7 machine was accidently left exposed on the RDP port to the Internet.  The user returned to find “SYSMAIN” logged in remotely.

 

This machine was immediately turned off, and removed from the network.

 

We performed an immediate scan of all physical and virtual servers, and did remove a malware application agentNNNN.exe (this was flagged in WebRoot).  From there, systems were rebooted and rescanned, all clean.

 

We obviously kept a close eye on things.

 

Exactly 7 days later, on the main AD server, Webroot found an infection.  I will be honest and say I cannot recall the name of the file it found, but I was able to link it to a Crypto Locker malware variant.

 

We scanned all servers (physical and virtual) again, and they came back clean after removing the file Webroot had located.

 

We suspected a time-bomb, so wanted to dig further into where this may be hidden, and make sure we neutralised it.

 

We downloaded and ran the Sophos Anti Rootkit tool, and it came back clean

 

We downloaded and ran the MalWare Bytes Anti Rootkit tool, and it came back clean.

 

We performed a DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALTH then SCANHEALTH then RESTOREHEALTH then SFC/ SCANNOW.  No errors or corruptions were detected.

 

We sat back and monitored again.

 

Today (11 days after initial issue), the Exchange and Active Directory virtual machines both logged a suspicious event:

* Event Time: 26 Jun 2021 13:04:18   
* Source: MsiInstaller   
* Event Log: Application   
* Type: Error   
* Event ID: 11310   
* Event User: <DOMAIN>Administrator
* Product: fakemsi — Error 1310. Error writing to file: C:UsersAdministratorAppDataLocalfakemsifoo.txt.  System error 0.  Verify that you have access to that directory.   
   

A quick check revealed this to be something potentially nefarious, so we again did a complete scan using Webroot, Sophos, MalWareBytes and the DISM/SFC from above.

 

The 2008R2 server repaired some files with the SFC /SCANNOW (It can’t run a DISM, it’s not a tool for Server 2008 apparently).  I have the CBS.LOG from this.

 

All came back clean again.

 

Given the age of this machine, I’d like to make sure it’s clean, and not the source of compromise or infection

Edited by Midnight_Man, 14 July 2021 – 09:03 PM.

Next Post

10 Coolest Key Fobs We've Ever Seen

The key fob has to be one of the most mundane aspects of a car especially in today’s modern setting where the conversation is more likely to be centered around the car’s performance and design. Who honestly remembers a key fob in a heated discussion about the fastest or most […]