Problems..they never stop!

(9-12/6)
I have set up a file server running on Dell PowerVault 725N using Win2k3 as the OS (Windows..makes life easier.. ). The box was set to join domain with PKK’s network so that every authorized user may access the box. Working with the access rules, domain configuration, etc. is something new to me . After spending about 2 hours trying to understand and experimenting with the configs, the box was successfully accessible throughout the network. I have also set a pointer record in the domain controller to resolve the box’s IP address. Everything went fine and I even run a few tests to make sure it is 100% ready for deployment. The only thing left that I have to do is to see the box’s user tomorrow morning and to teach her the steps to insert the data.

The next day when I am about to give step-by-step tutorial to the user, I tried to connect to the box from the user’s PC but it was inaccessible. It gives me error messages that the target path was not found and I have no authorization to log in to the target machine. Then I check the DNS settings on the domain controller-no problems found, checked the shared folder permission settings-no problems found. Strange. I go back to the server and reset the access permission, but it was still inaccessible. The ACL is intact, no changes whatsoever. Then I figured out it must be viruses messing with the box configuration. But after running a few manual check (still no AV installed), I couldn’t find any modification on the system/registry. Then I install Symantec AV, but the AV so suck that I have to remove it half an hour after installation. It uses too much memory and it couldn’t detect any problem (I am SURE there must be something hidden inside the system). Then I installed Kaspersky but it could not get the latest updates. It gives “Unable to resolve DNS” error. Something has override the DNS table and even flushdns won’t work. This is not some ordinary virus, it must be somekind of worm/rootkit. So, I installed GMER, a rootkit detector/remover. After running a scan, it detects that a “service” is hooking with the svchost process and has made a changes into the registry. A positive rootkit activity!..fuck!..I disabled the service and the Kaspersky updates were successful but the AV also failed to detect the rootkit source. Manual removal on the registry strings were unsuccessful. I could not delete/modify any of the modified settings. I deleted one of the hooked svchost and restarted the box, but Windows give a startup error and after running another rootkit scan, the “service” was restarted AGAIN! damn! It’s impossible to delete the “service” as it was hooked with a Windows file and even after I disable the service, the modified registry settings will override my changes!

What the rootkit does:

• modify registry settings and include itself as a legit system process
• block all DNS pointing to EVERY anti virus/anti rootkit sites (EVERY site like Nod32, AVG, Symantec, etc.)
• modify security policy settings, blocking all network connection

This is the cause to my problem. It overrides the security policy and remove EVERYONE access from the network and added 2 fake users with a random strings as the username.

So, how do I remove the rootkit?
- I formatted the box again. As simple as that since I cannot remove it manually.

After a fresh installation of Win2k3, the settings that took almost 2 hours in the first time, only takes about 10 minutes now.

The question that still bother me, where does the rootkit come from?
I left the box untouched not more than 20 hours after the OS installation, I didn’t access the internet, etc. Where is the source?

Related posts:

1. Network error in Vista SP1 For the whole day, I can’t access the internet because...
2. Fedora Core on Dell PowerEdge 4600 After failing miserably (this whole week!) to run Ubuntu 8.10...
3. Exim4 on Ubuntu 9.04 I’ve been working throughout the whole week to solve the...
4. another VPS About 2-3 days ago I purchased a VPS for one-month...
5. Fedora 10 on PowerEdge 4600 I’ve installed Fedora Core 6 on Dell PowerEdge 4600 before...

Last Modified : June 14th, 2009 Filed under : Computer & networking, Security, server Navigate : Previous post / Next post