By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
445,771 Members | 1,709 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 445,771 IT Pros & Developers. It's quick & easy.

Compromised Web Server? Anybody recognize?

P: n/a
Hi all,
We lease a non-managed Web Server running AV software but no IDS. It is
Windows 2003 STD which receives automatic nightly Windows Security patches at
3AM.

When I logged into the RDP console on Monday I saw what looked like a
Password Cracking software running with the name at the top of the window
E-Security. It looks like it had gone through 69,914,496 permutations already.

I went into Task Manager and killed a program I did not recognize
netman24.exe. I killed it and also saw about 12 instances of
CheckingThread.exe disappear.

I did not want to click the Close button in the program because who know
what that might have done.

Looking in Services, right under Network Connections there were 3 other
similar services all claiming to be Microsoft.
Network Connections 24
Network Connections 32
Network Connections 64

Doing a search on Microsoft for netman24.exe brought up nothing.
Doing a similar search on Google brought up nothing.
Same for Symantec.

I changed the Startup Option on Network Connections 24 from Automatic to
Manual. I have not gotten rid of those services or programs yet in case they
are valid.

Maybe the connection between netman24.exe being killed and
CheckingThread.exe instances disappearing was coincidental but I don't think
so.

I can't get to the Windows 2003 Server newsgroup from within MSDN, so I am
posting here first.

Anyone else seen anything like this or recognize these programs as valid?

Thanks for any input...

--
"Building a better mouse trap doesn''''t necessarily make it better for the
mouse."
Jan 8 '08 #1
Share this Question
Share on Google+
5 Replies


P: n/a
FYI, This isn't exactly the group for this.

I would search the local drives for the files first and see what folder
structure are they located. In the same folder you can find more info
regarding that exe. You can alos get meta info from the executable about who
made it etc.

You should take a restore point before any of this just in case you mess up.

If you determine that this applicaiton is malicious and you don't want it.
Do not uninstall it from the add/remove programs if it is there. Some malware
will install a differently named version of the same app if you try
uninstalling it. To get rid of it try renaming the folder. Then search the
registry for the filename.exe and see what it got itself into. At this point
you really need to know what you're doing. You might want to write down the
keys you found it in or back it up via the Export feature in Regedit. You
will then need to reboot and check your running processes again.
--
Mohamad Elarabi
MCP, MCTS, MCPD.
"John Kotuby" wrote:
Hi all,
We lease a non-managed Web Server running AV software but no IDS. It is
Windows 2003 STD which receives automatic nightly Windows Security patches at
3AM.

When I logged into the RDP console on Monday I saw what looked like a
Password Cracking software running with the name at the top of the window
E-Security. It looks like it had gone through 69,914,496 permutations already.

I went into Task Manager and killed a program I did not recognize
netman24.exe. I killed it and also saw about 12 instances of
CheckingThread.exe disappear.

I did not want to click the Close button in the program because who know
what that might have done.

Looking in Services, right under Network Connections there were 3 other
similar services all claiming to be Microsoft.
Network Connections 24
Network Connections 32
Network Connections 64

Doing a search on Microsoft for netman24.exe brought up nothing.
Doing a similar search on Google brought up nothing.
Same for Symantec.

I changed the Startup Option on Network Connections 24 from Automatic to
Manual. I have not gotten rid of those services or programs yet in case they
are valid.

Maybe the connection between netman24.exe being killed and
CheckingThread.exe instances disappearing was coincidental but I don't think
so.

I can't get to the Windows 2003 Server newsgroup from within MSDN, so I am
posting here first.

Anyone else seen anything like this or recognize these programs as valid?

Thanks for any input...

--
"Building a better mouse trap doesn''''t necessarily make it better for the
mouse."
Jan 8 '08 #2

P: n/a
LVP
Your PC may be infected. The presence of NETMAN.EXE is a common symptom of
infection.
We suggest you thoroughly check your PC as soon as possible. Prevx CSI will
check your PC and quickly detect malicious software like NETMAN.EXE and
millions of other bad programs. It is totally free and takes less than 2
minutes to run. To scan your PC now click the green Scan Now button on the
left.

"John Kotuby" <Jo********@discussions.microsoft.comwrote in message
news:26**********************************@microsof t.com...
Hi all,
We lease a non-managed Web Server running AV software but no IDS. It is
Windows 2003 STD which receives automatic nightly Windows Security patches
at
3AM.

When I logged into the RDP console on Monday I saw what looked like a
Password Cracking software running with the name at the top of the window
E-Security. It looks like it had gone through 69,914,496 permutations
already.

I went into Task Manager and killed a program I did not recognize
netman24.exe. I killed it and also saw about 12 instances of
CheckingThread.exe disappear.

I did not want to click the Close button in the program because who know
what that might have done.

Looking in Services, right under Network Connections there were 3 other
similar services all claiming to be Microsoft.
Network Connections 24
Network Connections 32
Network Connections 64

Doing a search on Microsoft for netman24.exe brought up nothing.
Doing a similar search on Google brought up nothing.
Same for Symantec.

I changed the Startup Option on Network Connections 24 from Automatic to
Manual. I have not gotten rid of those services or programs yet in case
they
are valid.

Maybe the connection between netman24.exe being killed and
CheckingThread.exe instances disappearing was coincidental but I don't
think
so.

I can't get to the Windows 2003 Server newsgroup from within MSDN, so I am
posting here first.

Anyone else seen anything like this or recognize these programs as valid?

Thanks for any input...

--
"Building a better mouse trap doesn''''t necessarily make it better for
the
mouse."

Jan 8 '08 #3

P: n/a
LVP
Component Name: Netman.exe

Description of Netman.exe
This is a component of NetMan Enterprise. NetMan Enterprise is network
administration software. It monitors actions on each PC on your network and
alerts the Administrator if the PC is used for a function that violates
standard procedures.

Recommendation for Netman.exe N/A
Trusted: Yes
Trojan: No
Chronic: No
Adware: No
Carrier: No
Browser Hijacker: No
Dialer: No
Commercial Keylogger: No
Remote Administration Tool: No
Suspected: No

Company Name: Accord Software and Systems Inc.
Platforms Affected:
Methods of Distribution: .
Variants/Versions:
Release Date: .

I don't thing automated updates on a server is a smart thing to do.

netmanXX.exe may not be a virus, but could be a virus disguised as a
system-network type file.
Are you in full control of this server, or leased remotely. if leased
remotely then the check with the Remote Sys-Admin.

LVP



"John Kotuby" <Jo********@discussions.microsoft.comwrote in message
news:26**********************************@microsof t.com...
Hi all,
We lease a non-managed Web Server running AV software but no IDS. It is
Windows 2003 STD which receives automatic nightly Windows Security patches
at
3AM.

When I logged into the RDP console on Monday I saw what looked like a
Password Cracking software running with the name at the top of the window
E-Security. It looks like it had gone through 69,914,496 permutations
already.

I went into Task Manager and killed a program I did not recognize
netman24.exe. I killed it and also saw about 12 instances of
CheckingThread.exe disappear.

I did not want to click the Close button in the program because who know
what that might have done.

Looking in Services, right under Network Connections there were 3 other
similar services all claiming to be Microsoft.
Network Connections 24
Network Connections 32
Network Connections 64

Doing a search on Microsoft for netman24.exe brought up nothing.
Doing a similar search on Google brought up nothing.
Same for Symantec.

I changed the Startup Option on Network Connections 24 from Automatic to
Manual. I have not gotten rid of those services or programs yet in case
they
are valid.

Maybe the connection between netman24.exe being killed and
CheckingThread.exe instances disappearing was coincidental but I don't
think
so.

I can't get to the Windows 2003 Server newsgroup from within MSDN, so I am
posting here first.

Anyone else seen anything like this or recognize these programs as valid?

Thanks for any input...

--
"Building a better mouse trap doesn''''t necessarily make it better for
the
mouse."

Jan 8 '08 #4

P: n/a
Thanks for the input LVP--

"LVP" <lv**********@hotmail.comwrote in message
news:Oc**************@TK2MSFTNGP02.phx.gbl...
Your PC may be infected. The presence of NETMAN.EXE is a common symptom of
infection.
We suggest you thoroughly check your PC as soon as possible. Prevx CSI
will check your PC and quickly detect malicious software like NETMAN.EXE
and millions of other bad programs. It is totally free and takes less than
2 minutes to run. To scan your PC now click the green Scan Now button on
the left.

"John Kotuby" <Jo********@discussions.microsoft.comwrote in message
news:26**********************************@microsof t.com...
>Hi all,
We lease a non-managed Web Server running AV software but no IDS. It is
Windows 2003 STD which receives automatic nightly Windows Security
patches at
3AM.

When I logged into the RDP console on Monday I saw what looked like a
Password Cracking software running with the name at the top of the window
E-Security. It looks like it had gone through 69,914,496 permutations
already.

I went into Task Manager and killed a program I did not recognize
netman24.exe. I killed it and also saw about 12 instances of
CheckingThread.exe disappear.

I did not want to click the Close button in the program because who know
what that might have done.

Looking in Services, right under Network Connections there were 3 other
similar services all claiming to be Microsoft.
Network Connections 24
Network Connections 32
Network Connections 64

Doing a search on Microsoft for netman24.exe brought up nothing.
Doing a similar search on Google brought up nothing.
Same for Symantec.

I changed the Startup Option on Network Connections 24 from Automatic to
Manual. I have not gotten rid of those services or programs yet in case
they
are valid.

Maybe the connection between netman24.exe being killed and
CheckingThread.exe instances disappearing was coincidental but I don't
think
so.

I can't get to the Windows 2003 Server newsgroup from within MSDN, so I
am
posting here first.

Anyone else seen anything like this or recognize these programs as valid?

Thanks for any input...

--
"Building a better mouse trap doesn''''t necessarily make it better for
the
mouse."


Jan 8 '08 #5

P: n/a
Thanks Mohamad...

Yes, a Windows Server Security group would be a better bet. I was just
wondering if anyone else has seen these things whether valid or malware
elswhere.

"Mohamad Elarabi [MCPD]" <Mo****************@discussions.microsoft.com>
wrote in message news:16**********************************@microsof t.com...
FYI, This isn't exactly the group for this.

I would search the local drives for the files first and see what folder
structure are they located. In the same folder you can find more info
regarding that exe. You can alos get meta info from the executable about
who
made it etc.

You should take a restore point before any of this just in case you mess
up.

If you determine that this applicaiton is malicious and you don't want it.
Do not uninstall it from the add/remove programs if it is there. Some
malware
will install a differently named version of the same app if you try
uninstalling it. To get rid of it try renaming the folder. Then search the
registry for the filename.exe and see what it got itself into. At this
point
you really need to know what you're doing. You might want to write down
the
keys you found it in or back it up via the Export feature in Regedit. You
will then need to reboot and check your running processes again.
--
Mohamad Elarabi
MCP, MCTS, MCPD.
"John Kotuby" wrote:
>Hi all,
We lease a non-managed Web Server running AV software but no IDS. It is
Windows 2003 STD which receives automatic nightly Windows Security
patches at
3AM.

When I logged into the RDP console on Monday I saw what looked like a
Password Cracking software running with the name at the top of the window
E-Security. It looks like it had gone through 69,914,496 permutations
already.

I went into Task Manager and killed a program I did not recognize
netman24.exe. I killed it and also saw about 12 instances of
CheckingThread.exe disappear.

I did not want to click the Close button in the program because who know
what that might have done.

Looking in Services, right under Network Connections there were 3 other
similar services all claiming to be Microsoft.
Network Connections 24
Network Connections 32
Network Connections 64

Doing a search on Microsoft for netman24.exe brought up nothing.
Doing a similar search on Google brought up nothing.
Same for Symantec.

I changed the Startup Option on Network Connections 24 from Automatic to
Manual. I have not gotten rid of those services or programs yet in case
they
are valid.

Maybe the connection between netman24.exe being killed and
CheckingThread.exe instances disappearing was coincidental but I don't
think
so.

I can't get to the Windows 2003 Server newsgroup from within MSDN, so I
am
posting here first.

Anyone else seen anything like this or recognize these programs as valid?

Thanks for any input...

--
"Building a better mouse trap doesn''''t necessarily make it better for
the
mouse."

Jan 8 '08 #6

This discussion thread is closed

Replies have been disabled for this discussion.