Jump to content

Recommended Posts

Hello, 

for a while now I have problems with some miners .  Idk if its worldwide or they are targeting just https://www.cloudsouth.com/

I have 20+ servers from them and most of them are with miners. I reinstalled the OS a few times and soon after the servers will become infected again. I think they are bruteforcing them. I started using 24 characters for passwords on newly reinstalled servers.

Here's a report from malwarebytes. (attached below)

Even if malwarebytes cleaned the system, and a new check will result in a "clean" pc, the virus is still there and its not being detected.

If I open Task Manager , the virus will instantly pause itself and the pc/server will start working normally. A few minutes later the virus will close the task manager and it will start itself. The pc/server will start to lag hard as the virus is using 90% of cpu when its running. 

Doing a virus scan without opening task manager is impossible. It won't even start. the pc is lagging that hard. Updated windows defender won't pick it up either.

In task manager is using some of the following names

SHELLEXPERIENCEHOST1.EXE

Windowsshellexperiencehost.exe

Windowsshellexperiencehoste.exe

Windowsshellexperiencehostp.exe

 

Any idea how can I remove these pesky miners?

I can provider access via RDP to some infected servers. NP

Bitcoin miners report.txt

Link to post
Share on other sites

Hi dbs00 :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.

  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on Malwarebytes Forums, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against Malwarebytes Forums's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread


This being said, it's time to clean-up some malware, so let's get started, shall we? :)

A couple of questions:

  • Are these servers exposed to the Internet? Like, in the DMZ?
  • Is RDP over the Internet enabled on these? If so, why?
  • Are they FULLY updated (Windows Updates)?
Link to post
Share on other sites

Hi Aura, 

Thanks for looking into it.

1. No. there servers aren't exposed. but I had some servers with linux, and when logging on them I could see they are trying to bruteforce in. ~ 5k tries per day . So probably it's the same thing for the windows servers as well. ( probably they know the IP ranges for this provider's server and just scanning throughout them)

2. RDP is enabled so I could work on them. Southcloud ( the provider of the servers) recommended for me to restrict RDP access just to my needed IPs ( didn't do that yet tho)

3. Some are fully updated, some aren't. No difference for the virus. Same for windows defender( last version of update, no difference)

Let me know what other questions you have, 

Link to post
Share on other sites

Quote

2. RDP is enabled so I could work on them. Southcloud ( the provider of the servers) recommended for me to restrict RDP access just to my needed IPs ( didn't do that yet tho)

Do it, it'll go a long way.

Quote

3. Some are fully updated, some aren't. No difference for the virus. Same for windows defender( last version of update, no difference)

I'm honestly ready to bet that these are being spreaded via MS17-010 (ETERNALBLUE), so you should start by patching the ones that aren't updated to stop the spreading and disable SMBv1. Can you get me the FRST logs from one server that is fully infected (on which you haven't run Malwarebytes)?

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Scan mode
Follow the instructions below to download and execute a scan on your system with FRST, and provide the logs in your next reply.

  • Download the right version of FRST for your system:
    • FRST 32-bit
    • FRST 64-bit
      Note: Only the right version will run on your system, the other will throw an error message. So if you don't know what your system's version is, simply download both of them, and the one that works is the one you should be using.
  • Move the executable (FRST.exe or FRST64.exe) on your Desktop
  • Right-click on the executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds
  • Make sure the Addition.txt box is checked
  • Click on the Scan button
    KSJwAxg.png
  • On completion, two message box will open, saying that the results were saved to FRST.txt and Addition.txt, then open two Notepad files
  • Copy and paste the content of both FRST.txt and Addition.txt in your next reply

Link to post
Share on other sites

I attached below the logs as requested from 2  servers

1. where I used malwarebytes and it "cleaned" the server

2. From server where I didn't use malwarebytes at all. And this one should be full of viruses.

Let me know what else I need to provide.

Thank you .

ps: I'll be back in  a few hours

Miners.zip

Link to post
Share on other sites

Thank you. Let's get an Autoruns log now.

sUc2qjf.pngAutoruns - Start-up Entries
Follow the instructions below to give me an Autoruns log containing your start-up entries:

  • Download Autoruns.zip from the Sysinternals Suite webpage
  • Extract the content of the Autoruns.zip folder where you want, then go in the folder, right-click on Autoruns.exe and select Run as Administrator
  • Accept the EULA on opening, then wait for all the entries to load
  • Click on File then Save and save the file to a location easily accessible as a .arn (Autoruns) file
  • Right-click on the file you saved and select Send to followed by Compressed (zipped) folder
  • Attach the .zip file on your next post, or if it says that it's too big, upload it on SendSpace and post the download URL for it here

Link to post
Share on other sites

Hey, 

Done.

This is from the server where I didn't install malwarebytes ( so its full of viruses)

I can do the same on servers where I run malwarebytes so you can see that MB will find the virus, will "block it" and the virus will reinstate itself again.
Let me know if I should redo all steps for such a server.

ty

WIN-SMGPRG3ATER.zip

Link to post
Share on other sites

Awesome! Can you do me a favor? Can you go back on the two servers you ran FRST on, then grab me a copy of the files below (there should be 1 on the first server, and 1 on the second), .zip them together and attach the .zip here?

C:\Windows\ExplorerPlugpp.dll
C:\Windows\Explorer.dll

I think that file is what's dropping the infection again and again.

Link to post
Share on other sites

Hey, 

Here it is

from the cleaned server

there isn't 

ExplorerPlugpp.dll

just Explorer.dll 

https://www.sendspace.com/file/ervc35

 

from the infected server ( i found both)

https://www.sendspace.com/file/d2mcoy

 

Let me know if you need other files

Thank you ( ps: I was afraid to copy paste on my pc and to paste them here so I uploaded on sendspace :)

Link to post
Share on other sites

Awesome, thank you :)

I'm working with someone from the Research Team to get all these files and their defs added. Once an update comes out, he'll let me know and I'll tell you. Afterwards, we'll scan one server with Malwarebytes, see if it removes the whole infection and monitor that server to see if it comes back. If it doesn't, you'll be good to run Malwarebytes on all the infected servers to clean them.

Link to post
Share on other sites

Alright, the defs should be pushed out now. Can you update Malwarebytes on one of the infected server, run a scan, delete everything it find, then restart it and see if the malware comes back within the next 24h? Provide me the Malwarebytes log as well.

Link to post
Share on other sites

Hey, I just scanned the second server ( where I installed malwarebytes last night and cleaned it for the first time)

Added logs here, 

Let me know if you need more logs

 

https://cl.ly/rba8

 

Some virus signatures that I noticed 

" It will close task manager" Even if I have it activated with always on top.  If I open task manager he will wait a few minutes and after it will close it, and start itself up.

If I open task manager again , it will pause itself for a few minutes and after it will close task manager and start itself up. ( all settings in malwarebytes won't pick this up

image.png.c3fc53b5119a96da8ba21bac357f6126.png

 

Thank you

 

Addition.txt

FRST.txt

Link to post
Share on other sites

The Task Manager issue is probably caused by this:

(Microsoft® Windows® Operating System) C:\Windows\System32\Taskmgr.exe

Can you upload the taskmgr.exe file to VirusTotal and post the report URL here?

And can you attach this file here?

C:\Users\Administrator\AppData\Roaming\jquery-2.2.2_ubot.js

Also, don't mind the information that I'll post below, it's for myself and the Research Team, to keep track of what we're doing.

(Microsoft® Windows® Operating System) C:\Windows\System32\Taskmgr.exe

HKU\S-1-5-21-3954276434-194457422-406667015-500\...\Run: [ShellExperienceHostp] => C:\ProgramData\System32\Logs\ShellExperienceHostp.exe [899072 2016-08-29] (Microsoft Corporation)
HKU\S-1-5-21-3954276434-194457422-406667015-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-05162018085405710\...\Run: [ShellExperienceHostp] => C:\ProgramData\System32\Logs\ShellExperienceHostp.exe [899072 2016-08-29] (Microsoft Corporation)

ContextMenuHandlers1: [SystemHelper] -> {851aab5c-2010-4157-9c5d-a28dfa7b2660} =>  -> No File

Task: {68746C60-7353-4C14-89CA-88A700D3BCF0} - System32\Tasks\WindowsRecoveryCleaner => C:\ProgramData\Iostream.exe <==== ATTENTION

C:\ProgramData\Iostream.exe
C:\ProgramData\System32\Logs\ShellExperienceHostp.exe
C:\ProgramData\WindowsTask

 

Link to post
Share on other sites

I can give you RDC access via PM.

that's not a problem on my end, and you can take whatever files you need.

it's a empty "fresh" server with  just windows on it. ( I didn't get to setting it up and the hackers,  hacked it meanwhile) 

so this wasn't infected by me ( by installing virused software)

Link to post
Share on other sites

The folder might be marked as a system folder. If you type in C:\ProgramData\WindowsTask in the Windows Explorer address bar and try to access it, does it works?

And we do not provide remote assistance on the forums sadly :) But the way we're working right now is fine with me.

Link to post
Share on other sites

when I posted my last message, malware bytes couldn't find any virus

now I did a new scan and it found 4 files being infected. so either the virus is back, or you updated the database and it found files that were considered clean before.

attaching the logs

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 5/16/18
Scan Time: 5:22 PM
Log File: 2b9d87ae-594f-11e8-9857-00266cf2e461.json
Administrator: Yes

-Software Information-
Version: 3.5.1.2522
Components Version: 1.0.365
Update Package Version: 1.0.5134
License: Trial

-System Information-
OS: Windows 10 Server (Build 14393.2248)
CPU: x64
File System: NTFS
User: System

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 422999
Threats Detected: 4
Threats Quarantined: 4
Time Elapsed: 22 min, 3 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 1
Trojan.BitCoinMiner, C:\PROGRAMDATA\SYSTEM32\LOGS\ShellExperienceHostp.exe, Quarantined, [515], [522461],1.0.5134

Module: 1
Trojan.BitCoinMiner, C:\PROGRAMDATA\SYSTEM32\LOGS\ShellExperienceHostp.exe, Quarantined, [515], [522461],1.0.5134

Registry Key: 0
(No malicious items detected)

Registry Value: 1
Trojan.BitCoinMiner, HKU\S-1-5-21-3954276434-194457422-406667015-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|ShellExperienceHostp, Quarantined, [515], [522461],1.0.5134

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
Trojan.BitCoinMiner, C:\PROGRAMDATA\SYSTEM32\LOGS\ShellExperienceHostp.exe, Quarantined, [515], [522461],1.0.5134

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.