iis security: We have had 3 separate Windows 2000 servers running IIS come down with
something. This started about 2 weeks ago and it has the following
symptoms.

The server is very slow to login to. Once up, if you go to the Event Viewer
you can see entries but cannot go into an entry to view the details of it.
When you go to Manage the computer, IIS is completely gone from the
Management MMC. If you go to Add and Remove Programs it looks all funky
like C&lose for the button and the title script is all jammed together and
nothing shows up. All websites are down. We have had to rebuild 3 servers
because we could not figure out what was going on. We are running Trend's
Office Scan Antivirus on the boxes and most all patches are applied. Any
Ideas?


Thanks,
Fred

Has anyone seen a root kit using the following files?
Zzgdqzow.dll Zzgdqzow.exe Zzgdqzow.drv Zzgdqzow.ime Zzgdqzow.sys
Zzgdqzow.tmp

My server has these files. Help!!!






[quoted text, click to view]

Hope you have back up...then reformat....


AS I said for many years, MS finally says the best way to rid of problems is
REFORMAT.



[quoted text, click to view]

[quoted text, click to view]

the odd thing is that I can find nothing on these files on the internet,
google, mcafee, hotbot, msn all show up nothing...
So I can be of no help in telling what caused it :(
Jon

[quoted text, click to view]

which as I recall is what MS also has been saying for years . . .

[quoted text, click to view]

[quoted text, click to view]

Well, I was concerned when I saw your "most patches" comment.

If you had been able to keep an image from one of them then
something may have been discovered. Keep in mind that your
environment might have facilitated spread from the initial entry
machine onto the others even if the others had no vulnerabilities
other than configuration that did not isolate them.

Do you have any info from the headers of those Zzgdqzow files ?
as the naming may be unique for your penetration


[quoted text, click to view]

Yep, that is what we have done but the scary part is that I do not know how
it happened.

Thanks,
Fred


[quoted text, click to view]

[quoted text, click to view]
I'd say, create ghost images of the affected systems, scrub them and
reinstall.

You don';t have admins surfing the web from one of your servers?


Jeroen
http://wijnands.blogspot.com

We have several machines with it here now. Some are fully patched! W2K3
servers and W2K servers too.

I will be calling Microsoft as soon as we get a grasp as to what is going
on.



Thanks,
Fred



[quoted text, click to view]

see bottom of message
[quoted text, click to view]
inetnum: 61.144.253.0 - 61.144.253.15
netname: SHENZHEN-COMPUTER-NETWORK-SECURITY
descr: SHENZHEN ASSOCIATION OF COMPUTER NETWORK PUBLIC SECURITY
country: CN
admin-c: HL192-AP
tech-c: HL192-AP
status: ASSIGNED NON-PORTABLE
changed: 20040310
mnt-by: MAINT-CHINANET-GD
source: APNIC

person: HU LIHUASZA
nic-hdl: HL192-AP
e-mail:
address: SAIGE INDUSTRIAL PARK,SHENZHEN
country: CN
phone: +86-755-82193222
fax-no: +86-755-82193984
changed: 20040310
mnt-by: MAINT-CHINANET-GD
source: APNIC

Jon


begin 666 email.pgif?md5=614ab4a0f00b6aec9c0d2147a2983122
MB5!.1PT*&@H````-24A$4@```( ````3! ,```"JXA@5````&%!,5$7___\`
M``"_O[_?W]^?GY]?7U]_?W\_/S\:VQM!```!,TE$051XG.V1S6K#,!"$!TEV
M7F.1^@#":W(6L=->35(G5]'2G'TI>?V.;!\"+;2!7@I=6+3CG?WT8^ _?B7"
M39V8MN^[17D*^1ZPNZDGICE=#HOJ*?)]IQD*(.'E'D#%[=Y.<.. _7G:Y\GD
MZ8#K*)OQ&>]CKL:%L1_IF=QILXQ=C_8\RGJ%:MZZ<H)A5U5-&EZW<&' 0\7C
M#-@65QW9+)[A6"0-0L,,"*B!;/I'%Y%][:Q<NA8F)O@:-JUW8!,=:B,Y%=DR
M<WGE&>#X_$%;$Y&\(T#C"G#\"PEF!@!"IY&T`BP-32EMB$Y55%NKFI2 H-%J
M$X.J88,+-A/L[&DXEO"4BR1 "\#X:+R'939>U!A6`E^^!B["?@&P28_8*%(`
HH$<6P'*\3\'[_#R^`/1RQ_S?C@^X-3+"J;SK, ````!)14Y$KD)@@@``
`
end

begin 666 email.pgif?md5=e48d4644b55bdf975e0a6ca487cd540c
MB5!.1PT*&@H````-24A$4@````D````)`0,```#:7Y13````!E!,5$7___\`
I``!5PM-^````"TE$051XG&-@P D``!L``<H\2@T`````245.1*Y"8((`
`
end

I suspect that to be a very good possibility.

We have our systems patched and running Trend OfficeScan and it is not
stopping it.

We have noticed these infected machines are broadcasting out http to the
following IP addresses

61.144.253.3
61.144.253.6

Check your firewall logs for http going to either of these sites!!!!



Thanks,
Fred

[quoted text, click to view]

[quoted text, click to view]
inetnum: 211.232.0.0 - 211.255.255.255
netname: KRNIC-KR
descr: KRNIC
descr: Korea Network Information Center
country: KR
admin-c: HM127-AP
tech-c: HM127-AP
remarks: ******************************************
remarks: KRNIC is the National Internet Registry
remarks: in Korea under APNIC. If you would like to
remarks: find assignment information in detail
remarks: please refer to the KRNIC Whois DB
remarks: http://whois.nic.or.kr/english/index.html
remarks: ******************************************
mnt-by: APNIC-HM
mnt-lower: MNT-KRNIC-AP
changed: 20000908
changed: 20010627
status: ALLOCATED PORTABLE
source: APNIC

person: Host Master
address: 11F, KTF B/D, 1321-11, Seocho2-Dong, Seocho-Gu,
address: Seoul, Korea, 137-857
country: KR
phone: +82-2-2186-4500
fax-no: +82-2-2186-4496
e-mail:
nic-hdl: HM127-AP
mnt-by: MNT-KRNIC-AP
changed: 20020507
source: APNIC

inetnum: 211.235.253.128 - 211.235.253.255
netname: KRLINE-LLINE-ORAM-KR
descr: ORAM
country: KR
admin-c: HC081-KR
tech-c: HC081-KR
remarks: This IP address space has been allocated to KRNIC.
remarks: For more information, using KRNIC Whois Database
remarks: whois -h whois.nic.or.kr
mnt-by: MNT-KRNIC-AP
remarks: This information has been partially mirrored by APNIC from
remarks: KRNIC. To obtain more specific information, please use the
remarks: KRNIC whois server at whois.krnic.net.
changed:
source: KRNIC


begin 666 email.pgif?md5=b18767ae9a5497feae665542ba82612e
MB5!.1PT*&@H````-24A$4@```)4````3! ,```!K95*Y````&%!,5$7___\`
M``"?GY\_/S]?7U]_?W_?W]^_O[_]6702```!64E$051XG.U2RVK#,! <5#U^
M0YC4N1J2#S")TK,I2<_"-/)5Y&#]?D>V4\<-[2E0"AV$=K6S.UYI#?SC%V%G
MMUL08O:*PMXRBT.&\:.MYE"Q2'CZ].3I5-\RS5<M%4=[DW7Y3LOKA=8=KEI;
MU^!X@'"U<OMJU51XWP";%[UW.VQWJ(Z-;,N:/%9[K!SY*O-#\<99N .<<U-?
M9\G];>QK+27O_G;.W>1EK/)G*2S[DOQZO<YAED#$L?@BH1OEKY=O%7?#YTU
M4@+MJ007H^JUL!R!,@7Y9^'1I!QF">9B#D9,6A9"Y#UTG&-,0N@^E#QY@2!"
MH.%$@^]#RVG9'D-R.XW.HAMRO)FTC DA:FK1!&K1T/6,FN#1>N3T0*W,4TN7
M8([7VT&+4>3BC B#E* 3'R A& -#=SAYI#XODU+4*=$@(//(?-:*O L3T,4?
AYWR/ZQ_Y"#Q2ZX_B`SMX3GI&V3UR`````$E%3D2N0F""
`
end

begin 666 email.pgif?md5=28fb0dcfdfb657e893691610f5a2d6db
MB5!.1PT*&@H````-24A$4@```)8````1! ,```#-FDBQ````&%!,5$7___\`
M``"?GY\_/S]?7U]_?W_?W]^_O[_]6702```!2$E$051XG.U2L6[",!!],H[]
M&U:$PAH5V",([6HA8+8B<-:H0_S[?;8C`E)1IT[MZ>1[=_?R<O$%^!-F9M@_
M-<2,RC*QU/"#0#W#\HFSN"-Y/C=)R^ ;>Q!H9OCY2LNI!B_MH;5I+4X'B+8I
MVGV]M#6N:V#]KO;M#IL=ZI.57=6T;8.EA6[S&(N-N\J/::ZK[ Z3[$WRO.2Y
M5E(ZX'*+TT37IG W*0S[$LIB%<O(J-'IFV.XY.DLNH*GYO4&(!0"W;D"G=7B
M6!JNH-"EC;E*E.GF1CZ9[%@!588&0L33]]SC$(10HZ^8.0$OO&?@1KTC+2OH
MN]:TB<H[)I.6UMX/BEH,GEH,A(Y535KG$"6'J#6RWD-LP>@5AU&\6J.\&EW2
M&OBF$* "?YX`KS4T8<H<PAA=AS!$6I]IX@TL1>>.DH .[O6>_^WW[0M5146.
0Q#IP"P````!)14Y$KD)@@@``
`
end

Update.

There is another IP address the infected machines are trying to contact
211.235.253.131.

The file names also appear to somewhat random but have always been located
in our c:\winnt\system32 directory. They always start with z and appear as
6 files on Windows 2000 Servers. Our Windows 2003 server only shows the
single dll file.
Here is what one of our W2K servers has for these files

Zzgdqzow.dll
Zzgdqzow.drv
Zzgdqzow.ime
Zzgdqzow.log
Zzgdqzow.sys
Zzgdqzow.tmp


Fred


[quoted text, click to view]

Fred wrote on Tue, 18 Apr 2006 13:21:53 -0500:

[quoted text, click to view]

If you get what appears to be an infection and your AV product isn't picking
it up then it's worth getting other AV vendors to check with too. Try NAI,
you can submit them online and get an instant response.

http://vil.nai.com/vil/submit-sample.aspx

Searching for the filenames on Google will likely be pointless as the
filenames will be random, and you'll only find a match if someone else
happens to have the same filenames generated. Even then it might be
something completely different. The only sure way to find out what they are
is to get an AV product to detect the signature.

Dan

Microsoft and Trend have confirmed this to be a new Malware/RootKit attack.
Trend is trying to develop a pattern/fix for it. We are testing samples for
them but nothing stops it yet. Watch your firewall logs for outgoing HTTP
traffic to any of the 3 IP addresses.


61.144.253.3
61.144.253.6
211.235.253.131




Thanks,
Fred


[quoted text, click to view]

This is a new form of the Backdoor.Hesive.C Trojan.



Fred



[quoted text, click to view]

[quoted text, click to view]

Or even from a workstation to which they are allowed
login with credentials used for server management and
from which the servers are network accessible for more
than http/https.

Roger

[quoted text, click to view]

That's of course another possibility. It's a more common cause than
some rootkit appearing mysteriously on the server.

Jeroen
http://wijnands.blogspot.com