PDA

View Full Version : Scheduled Tasks



nofam
27-01-2010, 10:56 AM
Just checking through my servers, and got a shock to see the attached - one of 1000 (!!) scheduled tasks all appearing to run .dll files with dodgy names.

Server has Symantec Endpoint on it. . . . .:waughh:

Pretty sure I should delete these? :badpc:

fred_fish
27-01-2010, 11:01 AM
Ripley: I say we take off and nuke the entire site from orbit. It's the only way to be sure.

wratterus
27-01-2010, 11:01 AM
Eew...symantec yet again for the win. :ban

KarameaDave
27-01-2010, 11:10 AM
Ah, the joys of Windows servers.:p

Speedy Gonzales
27-01-2010, 11:32 AM
I would say its full of trojans / malware

pkm
27-01-2010, 11:36 AM
diy home server with JBOD or business server with raid?

Is your box rooted?If its just a home server id take it offline and check the contents of its hard drive with a linux live cd or at the very least on another system - otherwise files/folders could be hidden.

nofam
27-01-2010, 11:45 AM
diy home server with JBOD or business server with raid?

Is your box rooted?If its just a home server id take it offline and check the contents of its hard drive with a linux live cd or at the very least on another system - otherwise files/folders could be hidden.

The latter - X-series with 2 arrays, running Terminal Services/PDC/File Print Server.

Running Endpoint scan now. . . . .though I doubt it will find anything.

Speedy Gonzales
27-01-2010, 11:46 AM
I would use something else / or put the hdd in something else then scan it

pkm
27-01-2010, 11:53 AM
If its rooted youl never find anything, it dont know how familiar you are with malware,but basically windows can be made to lie to you-from processes running to files and folders not existing.
As speedy suggests, run a live cd,(even puppylinux) mount drives and scan.
old one http://www.youtube.com/watch?v=NJNYHpFipjM

MushHead
27-01-2010, 12:31 PM
My $0.02 would be to try RootKit Revealer (http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx) from MS as a starting point. Download on another machine & run on your server with network disconnected.

pkm
27-01-2010, 01:20 PM
My $0.02 would be to try RootKit Revealer (http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx) from MS as a starting point. Download on another machine & run on your server with network disconnected.

Yep thats a good start although Id grab a whole suite of rootkit revealers and compare - since you can hide from the MS revealer also. Its quite ridiculous really

SolMiester
27-01-2010, 01:32 PM
Eew...symantec yet again for the win. :ban

what ^ said

zqwerty
27-01-2010, 06:54 PM
http://www.gmer.net/

Hmmmmm may not be of any use to you as WinServer not mentioned in application data