xLostSoulx

I run a small apache server with a MySQL server. Nothing huge, just a few files on my server. It is accessible outside of my network, but not many people know about it. Everything will be fine and dandy, then all of a sudden I can no longer access the web. So I log into remote desktop and see that I have 400 processes running!! They're all net.exe, net1.exe and cmd.exe. And I don't think they'd stop if I didn't restart apache. (if I restart apache they all go away, sometimes coming back right after the restart)

Now, I do believe that these are legit programs. But, I don't have an antivirus I just have Malwarebytes which comes back clean after a quick scan. This apache / mysql / ftp (which is rarely on cause it doesn't work) is from XAMPP.

Is there some exploit I am missing that maybe others know and I don't or is there something horribly wrong with the configuration? Please help me, I don't know what to do.

I am running a Server 2003 box. Thank you!

bilbus

well, net1.exe is not a real app.

As for cmd, what user is it running as? sounds like your box got owned.

xLostSoulx

It's running under SYSTEM. All of the processes are running under SYSTEM (net1.exe, net.exe and cmd.exe). I've installed NOD32 and it comes back clean as well!

A hijackthis log so you can see what I'm dealing with:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:25:50 PM, on 8/4/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
c:\programs files\xampp\mysql\bin\mysqld.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\programs files\xampp\apache\bin\httpd.exe
C:\programs files\xampp\apache\bin\httpd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\net.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\net.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\net.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\net.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\net.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\net.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\net.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\net.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\net.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\net.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\net.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\net.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\net.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\net.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\net.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\net.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\net.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\net.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\net.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\net.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\net.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\net.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\net.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\net.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\net.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2481730790-3307826817-853727575-1003\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Habbo')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/Driver...reqlab_nvd.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1247250461063
O23 - Service: Apache2.2 - Apache Software Foundation - C:\programs files\xampp\apache\bin\httpd.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Habbo - Unknown owner - C:\Program Files\Hotel\srvany.exe
O23 - Service: MySQL - Unknown owner - c:\programs files\xampp\mysql\bin\mysqld.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe