[Dshield] Strange Windows Behavior

Jon R. Kibler Jon.Kibler at aset.com
Tue Jan 23 14:45:45 GMT 2007


Hi All,

I have a client that has a few of apparently infected systems, but I cannot find anything wrong. All are Win XP/SP2, fully patched. I have run a full nmap scan (all 64K TCP and UDP ports), sniffed the network for any bogus traffic, ran spybot, hijackthis, AV, RootKitRevealer, netstat, fport, processexplorer, etc. and found nothing unexpected. 

Following Paul Marsh's posting, I looked for a 'kdnjh.exe' file but found none. (Paul, was this file the 'wareout' file?) I have not run fixwareout, and that may be my next step unless someone can give me some better ideas.

System 1: Runs slow. Task Manager shows a consistent 15% to 25% CPU utilization on the Performance tab, but shows the system idle process consuming 98% to 99% of the CPU on the Processes tab. Apparently it has a hidden process, but what and where? Cannot really take this system down and rebuild until after all of the EOY processing is completed.

Systems 2-6: Runs a ktelnet application for industry-specific software. Initially, systems kept dropping their telnet sessions at random. Switch logs would show a 5 to 10 second period between logging 'protocol down' and 'protocol up' for the system that lost its telnet session, thus it appears the telnet session drops because the network connection drops. At present, systems are 'winking out' (screen goes solid black [sometimes solid white] and even mouse cursor disappears) at the same time the network connection bites the dust. If this was only one system, I would thought it was a hardware issue, but it is 5 systems and it happens at random and to usually only one system at a time.

Other than nuke the boxes and rebuild (which could not be done until the weekend for systems 2-6, or until Feb for system 1), I haven't a clue where to proceed from here.

Any ideas?

THANKS!
Jon Kibler
-- 
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.



More information about the list mailing list