locked
My Computer is not my own? RRS feed

  • Question

  • My whs has been churning right along for more than a year without a hiccup, and I have been truly pleased. Recently, when walking past the DSL modem I noticed that the leds were flashing wildly like it does when there is a big download going on. Must be windows update or something on one of the computers, I thought. A day or two later, same thing. Odd. Quickly I deduced that of all the computers, it was the whs accessing the internet. But what is causing it to ALWAYS access the internet at all times of the day? I do have utorrent on the whs but it is scheduled to only run at night.

    Even though I use QOS the excessive internet activity was affecting my VOIP.

    I began investigating.

    Killed uorrent. No change.

    I have WHSclam installed, did virus update and then a scan. Ah Ha! Found a virus in c:/recycler deleted it from virus vault and from recycle bin and I began searching for more viruses.  Found another in backups but nothing in memory or system. With all viruses removed I restarted the system. Scanned again and I have a clean system but the internet activity continues! Perhaps it is something that eludes WHSclam – tried Trend micro Housecall – no virus found. Ok, both scanners say no virus so the system must be clean. I scanned all the computers in the house, all of them are reported to be virus free. Odd. Where did the viruses come from? WHS does download torrents and podcasts but does not execute them. Perhaps I am naive, but how could it become infected? How could the viruses be the source of the internet activity?

    I went into the router and turned off internet to the IP of the whs.

    That’s odd; the lights on the DSL modem still flash.

    Remote Desktop to whs – internet explorer can’t get to internet, virus updates fail – it sure doesn’t look like the whs can get to the internet. But the lights on the DSL modem still flash!

    Physically unplug the cable and the lights stop flashing and the network is quiet. If I plug it back in it starts back.

    I log into the router to check what it says for WAN bandwidth and it shows:


    Photobucket

     

    The blue arrow shows a valley where there is no internet activity because the cable to the whs is unplugged. (internet activity is supposedly turned off to the IP of the whs in the router) BTW the orange shows outgoing activity, the blue incoming.

     

    BTW my network looks something like this:

    Computer 1----------------

    Computer2-----------------ROUTER (w/VOIP)-------------DSL modem--------internet

    Computer3----------------

    WHS-------------------------

    VOIP phone---------------

    The more I dig into this problem the weirder it gets. Where did the virus come from? Why does the dsl modem see activity when the whs has no internet? (All other computers are off) Maybe someone is trying to access my computer FROM the internet. (Crazy, who would want my family photos and stuff?)

    Remote desktop to whs – let’s see what is supposed to start up with the system –

    Photobucket

     

    What is: IMEKRMIG, IMJPMIG and TINTSETP? I don’t remember those. (I unchecked them before I took the picture). Turns out that they are used to work with Asian characters. I only speak and write English and Spanish – nothing Asian. Where did that come from and why is it so important that it start up with the system? A little bit of paranoia hits me. Who has been using my system?

    Well if it is not a virus that has taken over my server, then maybe it is a hacker from the outside world.

    My router is configured to allow UPnP to allow UPnP devices to configure their own ports. I opened a port for utorrent but I think that is all I have done. With all of this crazyness, I have shut down UPnP and all ports. The internet access continues.

    I am about ready to wipe off the os and reinstall. That would not be fun so I thought that I should post here and see if anyone had any suggestions.

    • Edited by Fundamentalman Sunday, December 26, 2010 4:19 AM repetive text
    Sunday, December 26, 2010 4:14 AM

All replies

  • What you describe is suggestive of a malware infection. It's not conclusive, but the network activity isn't something you should expect to see if your server is functioning normally. You can try to identify to remove the malware, or you can scrub your server. My recommendation, no matter how painful, is the scrub. You should also inspect (with more than one tool; every available scanner has it's weaknesses) all the data on your server.

    I presume you've been using your server's desktop for a variety of things including some amount of web surfing; that's usually the only way your server is going to get infected with malware. You may want to bear in mind in the future that your server's desktop isn't intended for regular use by end users. In addition to the tools available there which can cause various issues, you can run into exactly this sort of problem. Note that "unsupported" doesn't mean "unavailable" or "forbidden", but it does mean that anything you change (install, delete, reconfigure) while on the desktop is also unsupported. And it means that there's additional risk if you aren't careful (and unfortunately I think you haven't been careful).


    I'm not on the WHS team, I just post a lot. :)
    Sunday, December 26, 2010 5:08 AM
    Moderator
  • Thanks for the input Ken. I agree it sounds like malware. I have also thought that I had too many ports open on the server and a hacker got in.

    Regarding using the servers desktop - I hardly ever use it. Although I suppose once is enough.

    Also as far as unsupported software, utorrent is about the only thing. Although once the crazy behavior started I also used Trend Micro Housecall (unsupported on WHS) and I have now installed Microsoft Security Essentials beta (also unsupported in WHS). BTW I have thought that both of these products were rather proactive against malware. But then again they are both unsupported.

    Any tools that you suggest regarding malware?

    By scrub what do you mean? Are you talking about wiping out the OS and installing fresh? If I don't have a tangible solution soon.... well its on the list of things to do.

    Sunday, December 26, 2010 5:34 AM
  • I have been thinking about this whole thing especially the part about being careful and I am not convinced that what I have done (remote desktop) was to blame. I mean that if what I have done is to blame, than we would have servers going nuts all over the place.The only illicit thing that I have done was to install utorrent. Perhaps that is the problem, but I installed it according to a guide  and it would seem that others would have similar problems as well. 

    For causes I am now thinking its ether utorrent downloaded something bad (but how did it get executed on the home server???) or I have/had an open port that allowed a bad guy to get in.

    I did a malware search with spybot and the only thing that was discovered was that port 443 was open. No malware was found. In fact spybot, Microsoft security essentials and Trend Micro all failed to find malware. Not saying that it is not there, just saying that they cant find it. Problems with my computers are rarely simple.

    Stop the presses: I have just found out that utorrent is susceptible to a DLL load hijacking bug. That could very well be the problem. I guess a clean install is in order. I will post if I find out anything else interesting.

    Monday, December 27, 2010 9:00 PM
  • Any tools that you suggest regarding malware?

     

    For those belt-and-suspender folks, TrendMicro's free RUBotted works on WHS 1.x.

    Not a complete solution by any means, but worth a look.

    http://free.antivirus.com/rubotted/


    Will
    Sunday, January 2, 2011 1:19 AM