Windows Server 2003 上奇怪的计划任务

tag-icon tag-icon windows-server-2003 malware
Windows Server 2003 上奇怪的计划任务

几天前,我注意到我们的 Windows Server 2003 系统有奇怪的计划任务。我不知道它们来自哪里,也不知道是谁设置的。我删除了它们,今天它们又出现了。它们有“At1”、“At2”、“At3”等名称,状态显示它们正在运行。

当我打开它们的属性时,运行命令看起来像rundll32.exe zfypspqu.u,ygxjgq

这可能是什么?我的服务器感染了病毒吗?我用 nod32 扫描了一下,没有报告任何异常。我在这台服务器上没有设置任何异常 - 它只运行带有 ReportServer 的 SQLServer 2005。其他两台具有类似配置的服务器没有这些奇怪的计划任务。

答案1

那是一个飞克感染。

删除它的基本步骤:

如果您有多个系统,请确保修复所有系统。

Microsoft 的完整保护自己免受 Conficker 攻击的指南是这里

祝你好运,我不得不处理一个小型客户的 Conficker 感染,大约 30 台服务器分布在 12 个站点,这并不好玩。

答案2

如果可能的话,尝试同时对网络中的所有计算机进行扫描、消毒和打补丁,使用体验不佳(B 版,我们的网络在 3 个站点有大约 300 台计算机)

http://www.confickerworkinggroup.org

http://www.confickerworkinggroup.org/wiki/pmwiki.php/ENT/Enterprise#toc10

我更新了批处理文件以申请 GPO(在互联网上某处找到的)

@echo off

REM   ########################################
REM   Version 6 - 10:19pm Pacific Jan 4th, 2009
REM   Created by Ckemper and Shainw
REM   For disabling infection points and potentially removing Conficker.B malware
REM   http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.B

REM   #####################################

REM   #####################################
REM
REM   Modify <domain.com> to your domain name in the script portion below.
REM   Rename it to .BAT and drop it in the \\%windir%\sysvol\sysvol\<domain.com>\scriptsfolder (aka, Netlogon share).
REM   
REM   Please drop the following tools\files in the Netlogon share for this to work
REM
REM   Getver.exe - attached with this batch file.
REM   SC.EXE - attached with this batch file (can get from a WS2003 or Windows XP system, not native to Windows 2000)
REM   REG.exe - attached with this batch file (can get from WS2003 or Windows XP system, not native to Windows 2000)
REM   windows-kb890830-v2.6.exe - x86 version of MSRT, available from Microsoft Security Support Engineer
REM   windows-kb890830-x64-v2.6.exe - x64 version of MSRT, available from Microsoft Security Support Engineer
REM   sleep.exe - for use with the MSRT tool, attached with batch file
REM   Hotfix update for Windows 2000, Windows XP and Windows 2003, download all updates listed in http://support.microsoft.com/kb/953252, except
REM   the Itanium update as this script does not support Itanium.  Place all 3 updates in the Netlogon directory.
REM   Security update MS08-038 for Windows Vista and Windows Server 2008 - http://www.microsoft.com/technet/security/Bulletin/MS08-038.mspx
REM   This vulnerability is not being exploited, however, to disable Autorun properly this needs to be applied as it contains a fix related to
REM   autorun, same as the one listed above in KB953252.
REM   
REM   Place all above in the netlogon directory and edit the <domain.com> values in the script below.
REM
REM   Create a Startup Script policy and reference this batch file.  This needs to be a Startup Script and not a Logon script, so that the 
REM   script runs under the machine account.
REM   Link the GPO with the Startup Script to the OU and Groups where you want it to apply.
REM
REM   We do not recommend you use this on DC's or critical servers, those should be cleaned manually so that the services
REM   disabled below do not need to be left disabled for an extended period of time.
REM
REM   Also note that you can set both the Server service (lanmanserver) and Task Scheduler server (schedule) to disabled via group policy
REM   If that is done, then those items can be remarked out below 
REM
REM   ###########################################

REM
REM
REM   Methods of spread we will be disabling -
REM
REM
REM   We will disable the Server service and Task Scheduler service.
REM
REM   Why disable the Server service?  This is due to Weak Passwords which the malware attempts to exploit.
REM   The password change will need to be accomplished via password policy for the domain, resetting any local and domain admin password to a 
REM   complex password which includes at least 10 characters and contains, alpha-numeric characters and extended characters such as a question
REM   mark or exclamation point.
REM
REM   Why disable the Task Scheduler service?  This is because the malware creates several AT jobs that run every hour to reinfect the system.
REM
REM   MS08-067 security update.  This security update needs to be applied ASAP via your normal patch management process.
REM   http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
REM
REM   Why install MS08-067?  This is the main attack vector of the malware.
REM
REM   Autorun - To block the autorun feature, we must apply an and set a registry value.
REM
REM   Why disable Autorun?  This is because the malware drops a binary file called Autorun.inf on all removable drives.
REM

REM
REM   For environments that use Windows Update to deploy updates.  This section will install MS08-067.
REM   You must place the updates that was downloaded from the link above in the Netlogon share and modify <domain.com>
REM   to your domain.  Also, you must remove the REM**** from in front of the lines, note there is one at the bottom also.  Note that the
REM   Windows Vista and WS2008 file is the same for both - Windows6.0-KB958644-x86.msu.
REM

if /i %PROCESSOR_ARCHITECTURE% == IA64 goto :End


REM ****IF not exist %windir%\$NtUninstallKB958644$ goto Check
REM ****IF exist %windir%\$NtUninstallKB958644$ goto Clean

REM ****:Check
REM ****IF not exist %windir%\Servicing\Packages\Package_for_KB958644*.* goto Install
REM ****IF exist %windir%\Servicing\Packages\Package_for_KB958644*.* goto Clean


REM ****:Clean

REM
REM  Checking if already run successfully
REM

\\<domain.com>\netlogon\sc.exe query wuauserv | find "STOPPED" > nul
if %ErrorLevel% EQU 0 goto INIT
if %ErrorLevel% EQU 1 goto END


:INIT

REM
REM   Stopping and Disabling services
REM   

\\<domain.com>\netlogon\GETVER.EXE > nul
if %ErrorLevel% EQU 50 goto SC_Stop
if %ErrorLevel% EQU 51 goto SC_Stop
if %ErrorLevel% EQU 52 goto SC_Stop
if %ErrorLevel% EQU 60 goto Vista_2008Server_SC_Stop

:SC_Stop
\\<domain.com>\netlogon\sc.exe stop lanmanserver
\\<domain.com>\netlogon\sc.exe stop schedule
\\<domain.com>\netlogon\sc.exe config lanmanserver start= disabled
\\<domain.com>\netlogon\sc.exe config schedule start= disabled

goto MSRT_RUN

:Vista_2008Server_SC_Stop

\\<domain.com>\netlogon\reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\Schedule /v Start /t REG_DWORD /d 0x4 /f

goto MSRT_RUN

:MSRT_RUN

REM
REM   Running MSRT locally
REM

REM
REM   Checking for x86 or x64
REM   Make sure to edit the <servername>\<share> in the lines below so the logs can be copied up to a central server if desired.
REM   Otherwise the copying of the mrt.log can be remarked out.
REM   Notice the copy of the MRT.log up to a central location has <servername>\<share with write perms>.  This is on purpose.
REM   In most cases, opening a share with everyone write permissions on a DC is not recommended, it is suggested to use a
REM   member server or workstation.
REM

if /i %PROCESSOR_ARCHITECTURE% == x86 goto x86
if /i %PROCESSOR_ARCHITECTURE% == AMD64 goto x64

:x86
call \\<domain.com>\netlogon\Sleep.exe 10
Start /wait \\<domain.com>\netlogon\Windows-KB890830-V2.6.exe /q

copy %windir%\debug\mrt.log \\<servername>\<share>\Logs\%computername%_%username%_mrt.log

goto Tasks

:x64
call \\<domain.com>\netlogon\Sleep.exe 10
Start /wait \\<domain.com>\netlogon\windows-kb890830-x64-v2.6.exe /q

copy %windir%\debug\mrt.log \\<servername>\<share>\%computername%_%username%_mrt.log

goto Tasks

REM
REM   Deleting all scheduled tasks, we have to do this due to the potential random naming of the scheduled task job.
REM   Note, even though we are disabling the Task Scheduler service above, these still need to be remove for when the Task Scheduler service is
REM   started up again.  Erase command is available on Windows 2000 and above OS, so we do not need to make available on Netlogon share.
REM

:Tasks

attrib -h %windir%\tasks\*.job
AT /delete /yes
REM old entry -erase %windir%\tasks\*.job /f /q


REM
REM   Checking for and installing Autorun hotfix. Turning off Autorun for all drives, the malware can spread via this mechanism.
REM   Download all updates listed in http://support.microsoft.com/kb/953252, except the Itanium update as this script does not support Itanium.
REM   Download the Windows Vista and Windows Server 2003 update - http://www.microsoft.com/technet/security/Bulletin/MS08-038.mspx
REM

IF not exist %windir%\$NtUninstallKB950582$ goto Next
IF exist %windir%\$NtUninstallKB950582$ goto Autorun

:Next
IF not exist %windir%\Servicing\Packages\Package_for_KB950582*.* goto 950582
IF exist %windir%\Servicing\Packages\Package_for_KB950582*.* goto Autorun

:950582

REM
REM   Checking OS version for install of KB950582
REM

\\<domain.com>\netlogon\GETVER.EXE > nul
if %ErrorLevel% EQU 50 goto Win2K_950582
if %ErrorLevel% EQU 51 goto WinXP_950582
if %ErrorLevel% EQU 52 goto Win2003_950582
if %ErrorLevel% EQU 60 goto Vista_2008Server_950582

REM
REM   WIN2k section
REM

:Win2k_950582
\\<domain.com>\netlogon\Windows2000-KB950582-x86-ENU.EXE /quiet /norestart
goto Autorun

REM
REM   WINXP section
REM

:WinXP_950582
if /i %PROCESSOR_ARCHITECTURE% == x86 goto WinXP_950582_x86
if /i %PROCESSOR_ARCHITECTURE% == AMD64 goto WinXP_950582_x64

:WinXP_950582_x86
\\<domain.com>\netlogon\WindowsXP-KB950582-x86-ENU.exe /quiet /norestart
goto Autorun

:WinXP_950582_x64
\\<domain.com>\netlogon\WindowsServer2003.WindowsXP-KB950582-x64-ENU.exe /quiet /norestart
goto Autorun

REM
REM   WIN2003 section
REM

:Win2003_950582
if /i %PROCESSOR_ARCHITECTURE% == x86 goto Win2003_950582_x86
if /i %PROCESSOR_ARCHITECTURE% == AMD64 goto Win2003_950582_x64

:Win2003_950582_x86
\\<domain.com>\netlogon\WindowsServer2003-KB950582-x86-ENU.exe /quiet /norestart
goto Autorun

:Win2003_950582_x64
\\<domain.com>\netlogon\WindowsServer2003.WindowsXP-KB950582-x64-ENU.exe /quiet /norestart
goto Autorun

REM
REM   Vista_2008 section
REM

:Vista_2008Server_950582
if /i %PROCESSOR_ARCHITECTURE% == x86 goto Vista_2008Server_950582_x86
if /i %PROCESSOR_ARCHITECTURE% == AMD64 goto Vista_2008Server_950582_x64

:Vista_2008Server_950582_x86
wusa.exe \\<domain.com>\netlogon\Windows6.0-KB950582-x86.msu /quiet /norestart
goto Autorun

:Vista_2008Server_950582_x64
wusa.exe \\<domain.com>\netlogon\Windows6.0-KB950582-x64.msu /quiet /norestart
goto Autorun

:Autorun

\\<domain.com>\netlogon\reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAuto /t REG_DWORD /d 0xff /f


REM
REM   Removing Hidden setting
REM

\\<domain.com>\netlogon\reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t REG_DWORD /d 0x1 /f


REM
REM   Enabling Automatic Updates, Background Intelligent Transfer and Error Reporting services
REM

\\<domain.com>\netlogon\sc.exe config wuauserv start= auto
\\<domain.com>\netlogon\sc.exe config BITS start= auto
\\<domain.com>\netlogon\sc.exe config ERsvc start= auto

REM
REM   Restarting
REM

Shutdown.exe /r


REM ****:Install

REM ****\\<domain.com>\netlogon\GETVER.EXE > nul
REM ****if %ErrorLevel% EQU 50 goto Win2K
REM ****if %ErrorLevel% EQU 51 goto WinXP
REM ****if %ErrorLevel% EQU 52 goto Win2003
REM ****if %ErrorLevel% EQU 60 goto Vista_2008Server

REM ****:Win2k
REM ****\\<domain.com>\netlogon\Windows2000-KB958644-x86-ENU.EXE /quiet /forcerestart

REM ****:WinXP
REM ****\\<domain.com>\netlogon\WindowsXP-KB958644-x86-ENU.exe /quiet /forcerestart

REM ****:Win2003
REM ****\\<domain.com>\netlogon\WindowsServer2003-KB958644-x86-ENU.exe /quiet /forcerestart

REM ****:Vista_2008Server
REM ****wusa.exe \\<domain.com>\netlogon\Windows6.0-KB958644-x86.msu /quiet

:End
Exit

相关内容