Jump to content

Recommended Posts

Hi,

first to describe situation...

I am running internal  application (limited users <10) on windows server 2008R1 (oracle and java).

18.1.2018 I have noticed that my processor is on 100% (as application was slow). via Task manager noticed process XE.EXE. googled: BitCoinMiner

dowloaded MalwareBytes free trial and run scan. Threads were quarantined. restarted -> run eset online (clean) -> run malware bytes again -> system was clean -> setup MWB to scan every 3 hrs.

But later I found out that I have same sitation again MWB - scan (look attached scan report on Scan Date: 1/19/18 Scan Time: 12:09 AM) - restart -

After few hours found out that powershell is starting (poping up) form time to time. (MWB reports were clean)

to solve this found task scheduler is triggering PowerShell ->     Run new task: Update service for Oracle products path: PowerShell.exe s>-ExecutionPolicy bypass -windowstyle hidden -noexit -File C:\Users\user\SchTask.ps1

Deleted Task - tried to find SchTask.ps1 but I can not find file.

restarted system, changed Admin Passwords. - everything was OK. for 12 hrs... but then I found this situation again

see scan -Log Details-
Protection Event Date: 1/20/18
Protection Event Time: 1:29 PM...

removed all threads with malwarebytes and deleted scheduled task again.... but I have major problem

After some exporing it seems I have similar similar situation described here https://www.joesandbox.com/analysis/37564/0/html

Did not run Farbar as I do not know is it compatible with server 2008R2.

Attached is Text file with all scan reports separated with ***. I did not copy scheduled scan report if everything was OK)

Please Help,

d.

 

MWB scan reports server win 2008r2 - 20180120.txt

Link to post
Share on other sites

Hi damirp :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.

  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on Malwarebytes Forums, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against Malwarebytes Forums's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread


This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Follow the instructions in the thread below, and provide me both FRST logs (FRST.txt and Addition.txt). You can attach them in your next post, or copy/paste their content.

https://forums.malwarebytes.com/topic/9573-im-infected-what-do-i-do-now/

Link to post
Share on other sites

however I have this report when restarted server.

can you explain what does t mean (this expolit -Malware.Exploit.Agent.Generic, , Blocked, [0], [392684],0.0.0)

I have same code for  inbound and outbound expolit report,,,

Please advise

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 1/26/18
Protection Event Time: 8:32 PM
Log File: aa192def-02cf-11e8-966c-00505601018b.json
Administrator: Yes

-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.262
Update Package Version: 1.0.3793
License: Trial

-System Information-
OS: Windows Server 2008 R2 Service Pack 1
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent.Generic, , Blocked, [0], [392684],0.0.0

-Exploit Data-
Affected Application: Java
Protection Layer: Application Behavior Protection
Protection Technique: Java malicious inbound socket detected
File Name: 
URL: 

(end)

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 1/26/18
Protection Event Time: 8:33 PM
Log File: b8e9f970-02cf-11e8-b6f8-00505601018b.json
Administrator: Yes

-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.262
Update Package Version: 1.0.3793
License: Trial

-System Information-
OS: Windows Server 2008 R2 Service Pack 1
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent.Generic, , Blocked, [0], [392684],0.0.0

-Exploit Data-
Affected Application: Java
Protection Layer: Application Behavior Protection
Protection Technique: Java malicious outbound socket detected
File Name: 
URL: 

(end)

 

Link to post
Share on other sites

thanks for support. Will do as described...

but after hours of internet it seems that I found root of my problem... (so even if I clean infection I will still have hole in the system)

https://www.bleepingcomputer.com/news/security/hackers-make-whopping-226k-installing-monero-miners-on-oracle-weblogic-servers/

https://isc.sans.edu/forums/diary/Campaign+is+using+a+recently+released+WebLogic+exploit+to+deploy+a+Monero+miner/23191/

As my weblogic server is unsupported (but has to run) do I have any option to block intruders (or somtehing)?

Did malwarebytes tackle this?

regards,

d.

 

Link to post
Share on other sites

I doubt Malwarebytes can tackle this, as you're willingly running a program for which exploits exists in the wild and are actively used in hacking campaigns. You could cut off that server from the Internet (remove it from your DMZ) or if it isn't possible, adjust your firewall configuration (locally or on your hardware firewall) to block the ports, protocols, etc. used to execute the hack.

Link to post
Share on other sites

Quote

System was patched, but... As always should be reinstalled to clean state...

Indeed. Once a system has been compromised with a backdoor/remote access, it should always be nuked and rebuilt from scratch.

No problem damirp, you're welcome.

Good luck, and stay safe! :) 

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.