Compromised Web Server? Anybody recognize?

[John Kotuby]

Hi all,
We lease a non-managed Web Server running AV software but no IDS. It is
Windows 2003 STD which receives automatic nightly Windows Security patches at
3AM.

When I logged into the RDP console on Monday I saw what looked like a
Password Cracking software running with the name at the top of the window
E-Security. It looks like it had gone through 69,914,496 permutations already.

I went into Task Manager and killed a program I did not recognize
netman24.exe. I killed it and also saw about 12 instances of
CheckingThread.exe disappear.

I did not want to click the Close button in the program because who know
what that might have done.

Looking in Services, right under Network Connections there were 3 other
similar services all claiming to be Microsoft.
Network Connections 24
Network Connections 32
Network Connections 64

Doing a search on Microsoft for netman24.exe brought up nothing.
Doing a similar search on Google brought up nothing.
Same for Symantec.

I changed the Startup Option on Network Connections 24 from Automatic to
Manual. I have not gotten rid of those services or programs yet in case they
are valid.

Maybe the connection between netman24.exe being killed and
CheckingThread.exe instances disappearing was coincidental but I don't think
so.

I can't get to the Windows 2003 Server newsgroup from within MSDN, so I am
posting here first.

Anyone else seen anything like this or recognize these programs as valid?

Thanks for any input...

 

[Mohamad Elarabi [MCPD]]

FYI, This isn't exactly the group for this.

I would search the local drives for the files first and see what folder
structure are they located. In the same folder you can find more info
regarding that exe. You can alos get meta info from the executable about who
made it etc.

You should take a restore point before any of this just in case you mess up.

If you determine that this applicaiton is malicious and you don't want it.
Do not uninstall it from the add/remove programs if it is there. Some malware
will install a differently named version of the same app if you try
uninstalling it. To get rid of it try renaming the folder. Then search the
registry for the filename.exe and see what it got itself into. At this point
you really need to know what you're doing. You might want to write down the
keys you found it in or back it up via the Export feature in Regedit. You
will then need to reboot and check your running processes again.

 

[LVP]

Component Name: Netman.exe

Description of Netman.exe
This is a component of NetMan Enterprise. NetMan Enterprise is network
administration software. It monitors actions on each PC on your network and
alerts the Administrator if the PC is used for a function that violates
standard procedures.

Recommendation for Netman.exe N/A


Trusted: Yes
Trojan: No
Chronic: No
Adware: No
Carrier: No
Browser Hijacker: No
Dialer: No
Commercial Keylogger: No
Remote Administration Tool: No
Suspected: No

Company Name: Accord Software and Systems Inc.
Platforms Affected:
Methods of Distribution: .
Variants/Versions:
Release Date: .

I don't thing automated updates on a server is a smart thing to do.

netmanXX.exe may not be a virus, but could be a virus disguised as a
system-network type file.


Are you in full control of this server, or leased remotely. if leased
remotely then the check with the Remote Sys-Admin.



LVP

 

[LVP]

Your PC may be infected. The presence of NETMAN.EXE is a common symptom of
infection.
We suggest you thoroughly check your PC as soon as possible. Prevx CSI will
check your PC and quickly detect malicious software like NETMAN.EXE and
millions of other bad programs. It is totally free and takes less than 2
minutes to run. To scan your PC now click the green Scan Now button on the
left.

 

[John Kotuby]

Thanks for the input LVP--

Your PC may be infected. The presence of NETMAN.EXE is a common symptom of
infection.
We suggest you thoroughly check your PC as soon as possible. Prevx CSI
will check your PC and quickly detect malicious software like NETMAN.EXE
and millions of other bad programs. It is totally free and takes less than
2 minutes to run. To scan your PC now click the green Scan Now button on
the left.

 

[John Kotuby]

Thanks Mohamad...

Yes, a Windows Server Security group would be a better bet. I was just
wondering if anyone else has seen these things whether valid or malware
elswhere.