Karl
Sun Nov 14 11:41:00 CST 2004
I don't see much need to wait... I still don't see much evidence yet that
this is any kind of new attack that we don't already have the tools to
discover.
While you are right that it is possible to hide services from port
enumerators and task manager by launching them as child processes under
SVCHOST.EXE, it is more common to hide these by using a Windows root kit.
[If these were starting under SVCHOST.EXE, I would probably expect these to
be visible as running services in Control Panel.]
The only thing I've seen so far that would indicate a possible intrusion is
the error message you are getting that you are at the maximum number of
network connections. If you are running some kind of remotely accessible
server or service like windows file sharing or web server, that error can be
normal as Windows workstation has a limit of 10 concurrent network
connections max. If you are not aware of running these services, then I
would take a wild guess that you have been "ftp tagged" and that someone may
have installed a hidden FTP server service on your computer and may be
hiding it using a Windows root kit like Hacker Defender. This is often
accompanied by a large mysterious drop in free disk space on your computer
taken up by large hidden warez files like games, movies or porn, so check
for free disk space and large files.
Whatever the cause of these network connections, you should be able to see
the "established" network connections by using the NETSTAT command and by
looking at your firewall logs such as pfirewall.log for the Windows
firewall, if it is still enabled. These items are typically not hidden by
root kits and should give you a clue as to the nature of the compromise. A
sniffer such as Ethereal should also show you these things.
FTP tagging is several years old now, not new. Such compromises are almost
always the result of being on the Internet without having your computer
fully patched from
http://windowsupdate.microsoft.com and with firewall and
anti-virus installed. Hardening instructions are at
www.microsoft.com/technet/security and
http://securityadmin.info/faq.asp#harden www.kerio.com, www.sygate.com and
www.zonealarm.com are all free firewalls.
I recommend running silent runners from www.silentrunners.org and *also*
RKDETECT [which can be found by searching www.google.com] You can also
see root kits if you boot to another OS such as the Linux rescue disk from
www.bitdefender.com, or if you scan the computer from another computer via
Windows networking, or if you take the hard drive and slave it in another
windows computer, though these are generally more difficult than running
RKDETECT.
There are also on-line virus scanners here that I would run as a second
opinion anti-virus scan just in case:
http://housecall.antivirus.com
http://security2.norton.com
http://www.kasperskylabs.com/remoteviruschk.html
Searching www.google.com and www.processlibrary.com for those file names you
listed below is helpful. Dmserver appears to be Gator adware that was
installed by some garbage freeware you possibly installed. I didn't search
all of them but didn't see any that look suspicious off the top of my head.
"wapalicious" <wapalicious@discussions.microsoft.com> wrote in message
news:A553A253-A61C-41B1-99C6-343FC5F81D8A@microsoft.com...
> Thanx for the links, not helping much because SVCHOST.exe houses all of
this:
> svchost.exe 768 DcomLaunch, TermService
> svchost.exe 812 RpcSs
> svchost.exe 884 AudioSrv, Browser, CryptSvc, Dhcp,
dmserver,
> ERSvc, EventSystem,
> FastUserSwitchingCompatibility, helpsvc,
> lanmanserver, lanmanworkstation, Netman,
> Nla, RasMan, Schedule, seclogon, SENS,
> SharedAccess, ShellHWDetection,
srservice,
> TapiSrv, Themes, TrkWks, W32Time,
winmgmt,
> wscsvc, wuauserv, WZCSVC
> svchost.exe 952 Dnscache
> svchost.exe 1056 LmHosts, RemoteRegistry, SSDPSRV,
WebClient
>
> and all the active port monitors I used simply show svchost and does not
> define children depending upon it. atleast for 2 days almost all I recieve
> for system log errors is Tc/PIP msg:TCP/IP has reached the security limit
> imposed on the number of concurrent TCP connect attempts. and i8042prt-
could
> not set mouse sample rate. The only application errors i get are winmgmt-
A
> provider, OffProv11, has been registered in the WMI namespace,
Root\MSAPPS11,
> to use the LocalSystem account. I have not had system freeze or
instability
> during passive use. I guess I will just wait til this becomes more wide
> spread. I have found three new threads at 3 different forums dated
> yesterday all indicating the same issue but different machine names and
> workgoroups
>
>
> "Karl Levinson [x y] mvp" wrote:
>
> >
> > "wapalicious" <wapalicious@discussions.microsoft.com> wrote in message
> > news:942F26D0-9AAA-44AC-8F69-4003C3975023@microsoft.com...
> >
> > > The NetBIOS name and DNS host name of this machine have been changed
from
> > > MACHINENAME to MICROSOF-4L9KKL. and following that
> > > This computer has been successfully joined to workgroup 'MORALE'.
> > >
> > > this is followed by telephony service started, Internet connection
sharing
> > > service started, network location awareness started, etc.
> > >
> > > has anyone seen a full hijack like this? at install no www
connection,
> > > usually use comcast broadband, using EZ Armor suite for firewall and
AV.
> > > help? please?
> >
> > Unless you have additional informaiton, this doesn't sound like a hijack
to
> > me at all.
> >
> > Some steps for trying to find evidence of hijacking are here, however I
> > don't suspect a hijack.
> >
> >
http://securityadmin.info/faq.asp#hacked
> >
> >
> >