Jump to content

Svchost.exe with a compromised Category Inbound Connection


Recommended Posts

I have a Custom Home Server with Windows server 2016 Datacenter GUI OS.

 

I have MWB premium installed and it shows that I have been getting quite a few attempts from a IP address of 185.201.*.* range of ip addresses.

 

Until recently I didn't think that much of it since I have my server connected outside through a dyn dns service so that I can remotely connect to it easily.  I have of course already disabled the default Administrator account and have another account as the standard admin account and it has a custom name and password.  i have disabled guest and am regularly getting tons of failed attempts to brute force to my RDP port, which btw has been changed from default also.  Attached are logs that keep showing that svchost.exe has a trojan attempting to connect.

 

 

FRST_10-05-2020 12.05.28.txt Addition_10-05-2020 12.05.28.txt Threat Report.txt

Link to post
Share on other sites

Hello riboild and welcome to Malwarebytes,

Continue with the following:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

user posted image

Next,

Open Malwarebytes, select > "settings" > "security tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes quarantine any found entries...

To get the log from Malwarebytes do the following:
 
  • Single click on the target sight above scanner window.
  • In the new window select Report
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Export toTxt - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Export to Txt" then attach the log to your reply...


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select user posted imageRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download "Microsoft's Safety Scanner" and save direct to the desktop

Ensure to get the correct version for your system....

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download


Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.


Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....

Let me see those logs in your reply..

Thank you,

Kevin

 

fixlist.txt

Link to post
Share on other sites

Okee Dokee Thanks for helping me.

 

I have done everything but that last msrt log looks either like it's failing to be written completely or being truncated.  I am going to paste the last bit for today in this post and the actual msert.log contents.  Don't know if there is something wrong.

Also, almost all of my original startup programs that I use for my NVR( cameras outside my house) are not starting up, I have not restarted them but they are not opening up on startup.  I don't know if that is what is supposed to happen, but either way.. Hope this is sufficient.

---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.81, (build 5.81.16832.1)
Started On Tue Mar 10 20:24:49 2020

Engine: 1.1.16800.2
Signatures: 1.311.96.0
MpGear: 1.1.16330.1
Run Mode: Scan Run From Windows Update
 

 


---------------------------------------------------------------------------------------

Microsoft Safety Scanner v1.0, (build 1.315.389.0)
Started On Sun May 10 19:08:37 2020
->Scan ERROR: resource process://pid:440,ProcessStart:132336252075932094 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:560,ProcessStart:132336252100864773 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:660,ProcessStart:132336252102753076 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:668,ProcessStart:132336252102780775 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:776,ProcessStart:132336252103821806 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:2392,ProcessStart:132336252114928875 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:2584,ProcessStart:132336252115109221 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:4520,ProcessStart:132336253342995804 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:2392,ProcessStart:132336252114928875 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:2584,ProcessStart:132336252115109221 (code 0x00000005 (5))
->Scan ERROR: resource file://C:\pagefile.sys (code 0x00000021 (33))
->Scan ERROR: resource file://C:\pagefile.sys (code 0x00000021 (33))

Quick Scan Results for 6FAD8DB4-D521-4A07-B951-0069F409F3B3:
----------------
->Scan ERROR: resource process://pid:2392,ProcessStart:132336252114928875 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:2584,ProcessStart:132336252115109221 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:2392,ProcessStart:132336252114928875 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:2584,ProcessStart:132336252115109221 (code 0x00000005 (5))

Results Summary:
----------------
No infection found.
Microsoft Safety Scanner Finished On Sun May 10 19:11:36 2020


Return code: 0 (0x0)

---------------------------------------------------------------------------------------

Microsoft Safety Scanner v1.0, (build 1.315.389.0)
Started On Sun May 10 19:14:07 2020
->Scan ERROR: resource process://pid:440,ProcessStart:132336252075932094 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:560,ProcessStart:132336252100864773 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:660,ProcessStart:132336252102753076 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:668,ProcessStart:132336252102780775 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:776,ProcessStart:132336252103821806 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:2392,ProcessStart:132336252114928875 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:2584,ProcessStart:132336252115109221 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:4520,ProcessStart:132336253342995804 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:6196,ProcessStart:132336258654667862 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:2440,ProcessStart:132336259136544741 (code 0x0000012B (299))
->Scan ERROR: resource process://pid:12228,ProcessStart:132336259139405510 (code 0x0000012B (299))
->Scan ERROR: resource process://pid:6196,ProcessStart:132336258654667862 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:2392,ProcessStart:132336252114928875 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:2584,ProcessStart:132336252115109221 (code 0x00000005 (5))
->Scan ERROR: resource file://C:\pagefile.sys (code 0x00000021 (33))
->Scan ERROR: resource file://C:\pagefile.sys (code 0x00000021 (33))

Quick Scan Results for 6FAD8DB4-D521-4A07-B951-0069F409F3B3:
----------------
->Scan ERROR: resource process://pid:2392,ProcessStart:132336252114928875 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:2584,ProcessStart:132336252115109221 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:2392,ProcessStart:132336252114928875 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:2584,ProcessStart:132336252115109221 (code 0x00000005 (5))

Results Summary:
----------------
No infection found.
Microsoft Safety Scanner Finished On Sun May 10 19:16:50 2020


Return code: 0 (0x0)
 

Fixlog_10-05-2020 18.50.57.txt May 10th, 2020 1856.txt AdwCleaner[S02].txt AdwCleaner[C02].txt

Link to post
Share on other sites

I do use remote desktop even against most recommending against it as it works and I can set it up relatively quickly.  Only downside with it is the same with all others that are popular:Everyone has ready access to it and since lots or customers or clients are using it it is a great idea to concentrate on it and exploit.

 

I always monitor all logs on clients machines and my own daily.  I am checking custom event logs that show that people are just doing simple port scans and when they find one they will just do the most common(IMO) method of hacking a server, Brute force.

 

I see the most wierdest login names and from the weirdest places, but the most common recently has literally shown to be netherlands or even france.  I have had a few from india and I think from korea but most have been concentrated in the netherlands... don't know why.

Link to post
Share on other sites

Hello riboild,

The errors listed in Microsoft Safety Scanner log mean certain processes on your system have not been scanned, not sure why that should be so.. You can check which part of the system the errror refers to by opening Taskmanager, select "Processes" tab, then select "Details" tab. From there you will see PID reference listed against each process on your system, those can be match against PID reference in the log. There will also be reference to each ones status, eg running or suspended.. Also user name, amount of ram and UAC status..

I would prefer that you run another indepth scan, this time with ESET, when that completes also rerun FRST and post fresh logs...

Download ESET Online Scanner and save it to your desktop.
  • Right-click on esetonlinescanner_enu.exe and select Run as Administrator.
  • When the tool opens, click Get Started.
  • Read and accept the license agreement.
  • At the Welcome to ESET Online Scanner window, click Get Started.
  • Select whether you would like to send anonymous data to ESET.
  • Note: if you see the "Welcome Back to ESET Online Scanner" screen, click Computer Scan > Full Scan.
  • Click on the Full Scan option.
  • Select Enable ESET to detect and remove potentially unwanted applications, then click Start scan.
  • ESET will now begin scanning your computer. This may take some time.
  • When the scan is finished and if threats have been detected, select Save scan log. Save it to your desktop as eset.txt. Click on Continue.
  • ESET Online Scanner may ask if you'd like to turn on the Periodic Scan feature. Click on Continue.
  • On the next screen, you can leave feedback about the program if you wish. Check the box for Delete application data on closing. If you left feedback, click Submit and continue. If not, Close without feedback.
  • Open the scan log on your desktop (eset.txt) and copy and paste its contents into your next reply.


Next,

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

user posted image

Post those logs to your next reply..

Thank you,

Kevin.

 

Link to post
Share on other sites

Ok so nothing I wasn't expecting as I have some files that I have had for a while that had positives and were actually deleted, even my little memory editor "cheat engine" which from my research actually isn't malicious but it uses similar tech to do what it does that viruses and the like use... So meh.

 

Other than that I haven't seen anything wierd.  

 

MWBAM Though... it keeps showing that the ip address :185.202.2.35: keeps trying and I understand that it is being actively prevented, HOW can I just outright prevent it from connecting at all or even pinging me?  Is this literally out of the question?  I have an asus router that supposedly has that function but I am apparently too dumb to get it to work correctly.

 

Any help in that area would be greatly appreciated.

 

Thanks!!!

ESET Scan Cleans.txt FRST.txt Addition.txt Detected but blocked.txt

Link to post
Share on other sites

Another thing of note: ESET would not run either in the downloads folder or even in a folder that I made on the C:\ Drive.  I made a folder "scanner" and it would literally blink and exit after starting scan.  I ran as admin but also I AM on server 2016 also.  I added it to malwarebytes as an allowed app but still didn't get past.  So I finally put it on another drive in my server and folder and it was able to be ran, though it persistently said could not update or failed to update (1).  

 

Any idea what that is all about???

Link to post
Share on other sites

Hello riboild,

Not really sure why ESET would not run, just looked at system requirements at ESET website and do not see Server 2016 listed. Only see Microsoft Windows 10/8.1/8/7/Vista/2003/XP.

There is a thread developing in our private forum with reports on several threads showing inbound attacks on svchost.exe, very similar to yours. No definite answers yet...

Have a look at the following link regarding security on your router:

 
Don`t see anything wrong with the FRST logs, I`ll let you know if there is a definite answer regarding the inbounds to svchost..
 
Thanks,
 
Kevin..
 

 

Link to post
Share on other sites

  • Root Admin

Just an FYI that in most cases the online antivirus scanners are provided for Consumer versions of Windows. They are often not designed to be used by Server platforms on purpose.

Platform: Windows Server 2016 Datacenter Version 1607 14393.3659 (X64) Language: English (United States)

Also note that your version of server ends normal Microsoft support on 01/11/2022 - there is Extended support available until 01/11/2027

 

 

Edited by AdvancedSetup
updated information
Link to post
Share on other sites

I hear ya man.  I am only using the server for a file server and being able to remotely access files that maybe I wont have on my service laptop or on an external that I carry.  I do a lot of IT related work in addition to automation and cnc machining.  I am just about every day having to repair or diagnose some kind of electrical or computer related problem and I use RDP pretty much every day, even at home.   Server is downstairs in the basement and i tend to use my laptop in the kitchen any more.  I got the OS on the cheap(if several hundred is your idea of cheap) and I hate that you can't just update to a later release instead of having to do a full on reinstall with new media.  But I digress, i have known about the kids and the like just trying to get into any thing they can just for the fun and potential payoff of it...  i regularly check my even logs and if it werent for decent security suites being in the several hundred dollar range a year or more, i would have a full fledged suite, but MBAM is very good and has kept the server protected when I aint actively checking it.  For that It's worth every penny.

 

I have used it forever to help rid customers' computers of virii and malware for nearly a decade if not more.  I trust it more than any antivirus out there.

 

That being said, I would just have a windows 10 PC for a server but IMHO it's not nearly as capable to button up and keep protected and in the current state of windows 10 updates.... I don't trust MS any further than I could throw them.

 

Thanks for the info.

Link to post
Share on other sites

They appear to have ceased since this morning around 930 EST which is where I am located in.  I have not had one since.  That is really great news, and updating malwarebytes  was not possible since it was already on latest revision.  I even went as far as downloading the installer again and running it.  it literally is the same version.  

 

But even as such, I am not getting any notifications that Somebody is being blocked...

Event Viewer is still logging at least one a second the same subnet and ip of somebody from i believe it's Netherlands or france but either way, they are still spamming the crap out of my server with what appears to be french logins and of course they aren't succeeding since none are even close to my login or password.

 

Ok well thanks either way for all of you guys' help!!!  We should be good for the time being!!!

Link to post
Share on other sites

Thanks for the update riboild,

Continue to clean up:

Right click on FRST here: D:\Programs\Scanner\FRST64.exe and rename uninstall.exe when complete right click on uninstall.exe and select "Run as Administrator"

If you do not see the .exe appended that is because file extensions are hidden, in that case just rename FRST64 to uninstall

That action will remove FRST and all created files and folders...

From there you should be good to go...

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image
Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.