This host was detected by myNetWatchman as sourcing large quantities of tcp/6129 which is the default port for the Dameware Remote Control application...which also had recent securty vulnerability discovered in it...hence why likely now a target.
TCP Table: PID 4504 194.xx.yy.zzz:3361 63.89.60.1:6129 SYN_SENT c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon.exe PID 4504 194.xx.yy.zzz:3362 63.89.60.2:6129 SYN_SENT c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon.exe PID 4504 194.xx.yy.zzz:3363 63.89.60.3:6129 SYN_SENT c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon.exe PID 4504 194.xx.yy.zzz:3364 63.89.60.4:6129 SYN_SENT c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon.exe PID 4504 194.xx.yy.zzz:3365 63.89.60.5:6129 SYN_SENT c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon.exe PID 4504 194.xx.yy.zzz:3366 63.89.60.6:6129 SYN_SENT c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon.exe PID 4504 194.xx.yy.zzz:3367 63.89.60.7:6129 SYN_SENT c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon.exe PID 4504 194.xx.yy.zzz:3368 63.89.60.8:6129 SYN_SENT c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon.exe PID 4504 194.xx.yy.zzz:3369 63.89.60.9:6129 SYN_SENT c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon.exe PID 4504 194.xx.yy.zzz:3370 63.89.60.10:6129 SYN_SENT c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon.exe PID 4504 194.xx.yy.zzz:3371 63.89.60.11:6129 SYN_SENT c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon.exe PID 4504 194.xx.yy.zzz:3372 63.89.60.12:6129 SYN_SENT c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon.exe PID 4504 194.xx.yy.zzz:3373 63.89.60.13:6129 SYN_SENT c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon.exe PID 4504 194.xx.yy.zzz:3374 63.89.60.14:6129 SYN_SENT c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon.exe PID 4504 194.xx.yy.zzz:3375 63.89.60.15:6129 SYN_SENT c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon.exe PID 4504 194.xx.yy.zzz:3376 63.89.60.16:6129 SYN_SENT c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon.exe PID 4504 194.xx.yy.zzz:3377 63.89.60.17:6129 SYN_SENT c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon.exe PID 4504 194.xx.yy.zzz:3378 63.89.60.18:6129 SYN_SENT c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon.exe PID 4504 194.xx.yy.zzz:3379 63.89.60.19:6129 SYN_SENT c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon.exe [snip] - repeats about 200 times
OK, yeah we're scanning like a banshee. Malware is "winlogon.exe" running out of the \recycler folder..never a good sign.
Next we try to figure out how it's being started. Looking at Startup registry keys and defined services, there are NO entries launching the above program. However, what we do see is an instance of the popular Serv-U FTP server running out of the same folder:
Services running on local machine: PID 3180: Serv-U = "Serv-U FTP Server" / "c:\recycler\S-1-5-21-11769710-83952115-85424539-1000\dc5\homer\comctl32.exe" Listening on a bunch of odd port numbers: TCP Table: PID 3180 0.0.0.0:45678 LISTENING (** Service **) c:\recycler\S-1-5-21-11769710-83952115-85424539-1000\dc5\homer\comctl32.exe PID 3180 0.0.0.0:45679 LISTENING (** Service **) c:\recycler\S-1-5-21-11769710-83952115-85424539-1000\dc5\homer\comctl32.exe
One of the interesting capabilities of Serv-U is the SITE EXEC command:
"SRVU_ExecProg Verify if the user has the right to execute a program on the server. Be aware that allowing execute access forms a potential security hole since there is no control over what the executed program might do on the server. Also note that the actual execution is done via the FTP command SITE EXEC, which is a Serv-U specific extension and not part of the FTP standard." Note: From Serv-U online documentation
Basically what this means is that Serv-U can be utilized as a great Backdoor...once on a target system you can use it to FTP files to it, then use the SITE EXEC command to actually cause them to be remotely executed...all through a simple FTP connection.
So in this case, I suspect that's how the Dameware scanner was launched.
Other likely hostile apps on this host:
TCP table: PID 1924 0.0.0.0:22 LISTENING c:\windows\help.exe PID 1924 0.0.0.0:4128 LISTENING c:\windows\help.exe PID 4592 0.0.0.0:4129 LISTENING C:\windows\help.exe Started here: Entries for HKLM\Software\Microsoft\Windows\CurrentVersion\Run: 'help.exe' = 'C:\windows\help.exe'
There is a application called "help.exe" acting as a service on tcp/22 (the default port for Secure Shell.. SSH)... also listening on a few other ports. I don't find this very "helpful".
More scanning here, this time like for weak SQL Server systems:
PID 2428 194.xx.yy.zzz:23945 171.64.151.239:1433 SYN_SENT c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\sound\sqlck.exe PID 2428 194.xx.yy.zzz:23946 171.64.151.240:1433 SYN_SENT c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\sound\sqlck.exe