Hacktool incurable ! Fermé

Question

Salutatous,

J'ai été récemment victime d'un hacktool visiblement sur un serveur web professionel.
Il s'agit d'un Windows 2000 Server SP4, mais je n'ai pas installé toutes les mises à jour de sécurité car c'est un serveur web en prod accessible directement depuis l'extérieur (en DMZ).

Mais là, j'ai reçu un mail d'Oléane m'informant qu'ils couperaient la ligne si je ne stop pas les tentatives de spam (attaque depuis mon adresse IP publique dans les logs)..

L'antivirus Symantec (définition: 24/02/2008 rev.3) ne me detecte rien du tout...

Pourtant avec un TCPview, j'aperçois une cinquantaine de requêtes à la seconde sur des ports standards (IMAP, SMTP, SSH, ...) vers des adresses IP publiques... (voir screen => http://img213.imageshack.us/img213/6883/tcpdl9.jpg)

Je suis donc passer par un scan online de PandaActiveScan qui m'a detecter un problème sur le fichier "svchxp.kk3" (dans c:/WINNT/...), je ne sais pas si le problème vient de se fichier..

Et analyser ce même fichier par virustotal, site qui analyse un fichier particulier sur 32 antivirus, parmi les 32, 8 m'ont detecter 'quelque chose' sans savoir vraiment quoi, mais il s'agirait d'un hacktool-scanline ou qql chose du genre...

Voir le résultat => Link: https://www.hightail.com/

Jeetiz · Answer

edit:
Le lien pour l'image ne fonctionnait pas:
http://img213.imageshack.us/img213/6883/tcpdl9.jpg

Jeetiz · Answer

Voici les logs HJT (hostname = sama02):
J'ai notamment des doutes sur:

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"

O16 - DPF: {576756A1-D97C-45D0-A945-0324019A131E} (BOSIActiveFormX Control) - http://sama02:81/infotrackit/downloads/BOSIActiveXGrid.cab

O23 - Service: Pegasus WMI Mapper (WMI Mapper) - Unknown owner - C:\Program Files\The Open Group\WMI Mapper\bin\WMIServer.exe



Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32	ermsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn\sqlservr.exe
D:\ORACLE\9IAS\Apache\Apache\Apache.exe
C:\WINNT\system32egsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
D:\ORACLE\9IAS\Apache\Apache\Apache.exe
C:\hp\hpsmh\bin\smhstart.exe
D:\ORACLE\9IAS\Apache\jdk\bin\java.exe
D:\ORACLE\9IAS\Apache\jdk\bin\java.exe
C:\WINNT\TIREMOTE\wuser32.exe
C:\WINNT\TIREMOTE\TIRemoteService.exe
C:\hp\hpsmh\bin\hpsmhd.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\The Open Group\WMI Mapper\bin\WMIServer.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\CPQNiMgt\cpqnimgt.exe
C:\WINNT\system32\CpqRcmc.exe
C:\WINNT\system32\CPQMgmt\CqMgServ\cqmgserv.exe
C:\WINNT\system32\CPQMgmt\CqMgStor\cqmgstor.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\msdtc.exe
C:\hp\hpsmh\bin\hpsmhd.exe
C:\WINNT\system32\sysdown.exe
C:\WINNT\system32\CPQMgmt\CqMgHost\cqmghost.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32dpclip.exe
C:\WINNT\Explorer.EXE
C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
C:\WINNT\system32\cpqteam.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Symantec AntiVirus\VPC32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrateur.FPT\Bureau\stng380.exe
C:\Documents and Settings\Administrateur.FPT\Bureau	cpview\Tcpview.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\ADMINI~1.FPT\LOCALS~1\Temp\1\Rar$EX00.391\HijackThis.exe
C:\DOCUME~1\ADMINI~1.FPT\LOCALS~1\Temp\1\Rar$EX00.297\HijackThis.exe
C:\DOCUME~1\ADMINI~1.FPT\LOCALS~1\Temp\1\Rar$EX00.250\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.fr/?gws_rd=ssl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = SPROX01.FPT:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.1.*;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [VxTaskbarMgr] C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\webelated.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\webelated.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - https://www.kaspersky.fr/?domain=webscanner.kaspersky.fr
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - https://www.pandasecurity.com/en/homeusers/online-antivirus/?ref=activescan
O16 - DPF: {576756A1-D97C-45D0-A945-0324019A131E} (BOSIActiveFormX Control) - http://sama02:81/infotrackit/downloads/BOSIActiveXGrid.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {6AF2E1A7-A16E-4503-A440-07CA49122CCE} (BOSIRichEditActiveX Control) - http://sama02:81/infotrackit/downloads/BOSIActiveXMemoControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fpt
O17 - HKLM\System\CCS\Services\Tcpip\..\{FB2006AC-272B-4B80-B44E-71604C8FB5B6}: Domain = fpt
O17 - HKLM\System\CCS\Services\Tcpip\..\{FB2006AC-272B-4B80-B44E-71604C8FB5B6}: NameServer = 192.168.1.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fpt
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fpt
O18 - Protocol: hpapp - {24F45006-5BD9-41B7-9BD9-5F8921C8EBD1} - C:\Program Files\Compaq\hpadu\Bin\hpapp.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\bengine.exe
O23 - Service: Backup Exec Server (BackupExecRPCService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: HP Insight NIC Agent (CpqNicMgmt) - Hewlett-Packard Company - C:\WINNT\system32\CPQNiMgt\cpqnimgt.exe
O23 - Service: HP ProLiant Remote Monitor Service (CpqRcmc) - Hewlett-Packard Company - C:\WINNT\system32\CpqRcmc.exe
O23 - Service: HP Insight Foundation Agents (CqMgHost) - Hewlett-Packard Company - C:\WINNT\system32\CPQMgmt\CqMgHost\cqmghost.exe
O23 - Service: HP Insight Server Agents (CqMgServ) - Hewlett-Packard Company - C:\WINNT\system32\CPQMgmt\CqMgServ\cqmgserv.exe
O23 - Service: HP Insight Storage Agents (CqMgStor) - Hewlett-Packard Company - C:\WINNT\system32\CPQMgmt\CqMgStor\cqmgstor.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ExecView Communication Module (ECM) (ECM Service) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\ECM\ECM.exe
O23 - Service: Oracle Web Integration Server - Unknown owner - D:\ORACLE\9IAS/panama/webintegration/server/bin/serverSvc.exe
O23 - Service: OracleORACLE9IASAgent - Oracle Corporation - D:\ORACLE\9IAS\bin\dbsnmp.exe
O23 - Service: OracleORACLE9IASClientCache - Unknown owner - D:\ORACLE\9IAS\BIN\ONRSD.EXE
O23 - Service: OracleORACLE9IASDataGatherer - Oracle Corporation - D:\ORACLE\9IAS\bin\vppdc.exe
O23 - Service: OracleORACLE9IASHTTPServer - Unknown owner - D:\ORACLE\9IAS\Apache\Apache\Apache.exe
O23 - Service: OracleORACLE9IASPagingServer - Unknown owner - D:\ORACLE\9IAS/bin/pagntsrv.exe
O23 - Service: OracleORACLE9IASTNSListener - Unknown owner - D:\ORACLE\9IAS\BIN\TNSLSNR.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Compaq Computer Corporation - C:\WINNT\system32\sysdown.exe
O23 - Service: HP System Management Homepage (SysMgmtHP) - Hewlett-Packard Company - C:\hp\hpsmh/bin/smhstart.exe
O23 - Service: Track-It! Remote Control (TIRmtCtl) - Intuit Track-It! - C:\WINNT\TIREMOTE\wuser32.exe
O23 - Service: Track-It! Workstation Manager (TIRmtSvc) - Numara Software, Inc. - C:\WINNT\TIREMOTE\TIRemoteService.exe
O23 - Service: Pegasus WMI Mapper (WMI Mapper) - Unknown owner - C:\Program Files\The Open Group\WMI Mapper\bin\WMIServer.exe

Hacktool incurable !

2 réponses

Discussions similaires