5

Possible Duplicate:
How do I deal with a compromised server?

One of our desktop machines (Win 7 64 bit) has recently been complaining of slow down, particularly when accessing resources on a SBS2003 server (also a DC). One thing I looked into was the AV on the server, which was taking ~500MB RAM (it only has 4GB) so I've tackled that. There are still issues, and in addition to this I took a packet capture on the server.

The desktop (23 in the image below) keeps making loads and loads of SMB requests to the server, even though consciously the user isn't accessing any resources. Additionally, it randomly tries to logon to the server with another user's credentials, for no good reason. The credentials don't even show up in the credential manager on the machine.

Why is this happening? I've had a quick Google and can't find much on the subject - worryingly one of the only things I could find when searching for 'nt create andx request' was a whitepaper titled 'Microsoft LSASS Buffer Overflow from exploit to worm.' Hope it's nothing along those lines, what can I do to further get to the bottom of this? If it's any help using netstat and taskmgr on the client I've determined that the process responsible for this was called something like 'NT Kernel and System'.

The Win 7 machine is still painfully slow, and no other desktops have been affected. We don't have a system restore going back very far, so likely will just wipe it and start again. I have an image of the packet capture of the client querying the server, with someone else's credentials, and this again loops over and over. The items I've blanked out in image 2 are: from client(red): computer name and user name(someone else's); from server (blue): domain name (full), server name, domain name (shortened), server, username. enter image description here

Packet capture from the server

Edit: a virus scan on the Win 7 desktop, using ESET NOD32 Ver 5, has found Java/Exploit.CVE[DATE].BR trojan. It's cleaned/deleted the file, how worrying is this? Should we re-build machine to be safe?

Community
  • 1
kafka
  • 547
  • 1
  • 15
  • 27
  • Are all packets coming from the same MAC-Address? – Bart De Vos Oct 30 '12 at 12:32
  • I've just checked and yes they're all coming from the same MAC address – kafka Oct 30 '12 at 12:49
  • We've just changed the network cable, and network port, and so far it seems much better. Is it possible that a dodgy network cable could cause so much disruption? (Although it doesn't explain why the machine is trying to authenticate with someone else's credentials for no good reason) – kafka Oct 31 '12 at 11:34
  • 1
    Are there any services/scheduled tasks running on the PC that could have been saved with user credentials? – MissCoder87 Oct 31 '12 at 11:54
  • I don't think so - I'll certainly check though. – kafka Oct 31 '12 at 12:15
  • Yes, seems you found your trojan, but, have you checked client computers AV software ? Sometimes, if client accesses a share that contains a huge file, even if user doesnt do anything with that file, AV tries to scan it, transfering that huge file over network slowing everything down. You might either move that huge file, or exclude it on client AV configuration. – Tuncay Göncüoğlu Dec 17 '12 at 18:49
  • The slowdown turned out to be that the AV was scanning network locations (despite me having turned this off in the past as it's caused problems before). The developer noticed particular slowdown when opening a folder full of *.exes, but now that we've disabled network scanning on the AV he isn't experiencing the same slow down. The SMB requests are just to keep the folder share alive I guess. – kafka Dec 18 '12 at 09:27

0 Answers0