server slowdown?

[dragon2611]

server was being very slow

also there was quite a few cmd.exe and net.exe open

has SOME process has run away from it self and gone crasy i was using 1.58gigs of swapfile before i finally got the machine to reboot is there any known issues with plesk or any other windows2003 server component that would casue this to happen or do you think someone has hacked the server


its firewalled with RRAS and im just virus scanning it now also first thing i did when i got the server 2 days ago was install secuirty updates so its definatly up to date i even checked for updates today and their are none.

im really hoping it hasnt been compromised

 

[shwonder]

Please start Task Manager and look what is the program which loads CPU high. Also, it will be helpful if you'll give information what operation system is installed on your server and what is the Plesk version (7.0.0, 7.0.1), what Plesk hotfixes are installed.

Thank you.

 

[dragon2611]

yeah its all up to date running plesk 7.01 on win 2003 server web edition

it wasnt cpu usage that was the problem it was RAM usage server only has 512mb ram which should be ok for a small host like us but somit went very wrong


server was being really slow and the page file was 1.6gb and only about 6mb ram free


usaually my ram free is 260mb + and i have 250mb or so of pagefile used


seems fine so far after a reboot

 

[shwonder]

ok. Thanks. Please, if it will happen next time, please look what application(s) takes a lot of memory.

 

[dragon2611]

Summary:

C:\WINDOWS\system32\err0rrz\RenderxP.exe=>(ezip)=>(Upx) Infected Trojan.Delsha.C
C:\WINDOWS\system32\err0rrz\RenderxP.exe=>(ezip)=>(Upx) Disinfection failed
C:\WINDOWS\system32\err0rrz\TimedInterp.dll Infected IRC-Worm.Randon.T
C:\WINDOWS\system32\err0rrz\TimeZoneaX.exe=>(CExe r)=>(MS-Compress 5) Infected Trojan.HideWindows.A
C:\WINDOWS\system32\err0rrz\TimeZoneaX.exe=>(CExe r)=>(MS-Compress 5) Disinfection failed
C:\WINDOWS\system32\err0rrz\XseT.exe=>(CAB Sfx o)=>DatexTimest.exe=>(Upx) Infected Application.PrcView.A
C:\WINDOWS\system32\err0rrz\XseT.exe=>(CAB Sfx o)=>DatexTimest.exe=>(Upx) Disinfection failed
C:\WINDOWS\system32\err0rrz\XseT.exe=>(CAB Sfx o)=>RenderxP.exe=>(ezip)=>(Upx) Infected Trojan.Delsha.C
C:\WINDOWS\system32\err0rrz\XseT.exe=>(CAB Sfx o)=>RenderxP.exe=>(ezip)=>(Upx) Disinfection failed
C:\WINDOWS\system32\err0rrz\XseT.exe=>(CAB Sfx o)=>TimedInterp.dll Infected IRC-Worm.Randon.T
C:\WINDOWS\system32\err0rrz\XseT.exe=>(CAB Sfx o)=>TimeZoneaX.exe=>(CExe r)=>(MS-Compress 5) Infected Trojan.HideWindows.A
C:\WINDOWS\system32\err0rrz\XseT.exe=>(CAB Sfx o)=>TimeZoneaX.exe=>(CExe r)=>(MS-Compress 5) Disinfection failed
C:\WINDOWS\system32\XseT.exe=>(CAB Sfx o)=>DatexTimest.exe=>(Upx) Infected Application.PrcView.A
C:\WINDOWS\system32\XseT.exe=>(CAB Sfx o)=>DatexTimest.exe=>(Upx) Disinfection failed
C:\WINDOWS\system32\XseT.exe=>(CAB Sfx o)=>RenderxP.exe=>(ezip)=>(Upx) Infected Trojan.Delsha.C
C:\WINDOWS\system32\XseT.exe=>(CAB Sfx o)=>RenderxP.exe=>(ezip)=>(Upx) Disinfection failed
C:\WINDOWS\system32\XseT.exe=>(CAB Sfx o)=>TimedInterp.dll Infected IRC-Worm.Randon.T
C:\WINDOWS\system32\XseT.exe=>(CAB Sfx o)=>TimeZoneaX.exe=>(CExe r)=>(MS-Compress 5) Infected Trojan.HideWindows.A
C:\WINDOWS\system32\XseT.exe=>(CAB Sfx o)=>TimeZoneaX.exe=>(CExe r)=>(MS-Compress 5) Disinfection failed


hmm thats not good

i manually deleted the files although im having trouble locating information to what those virues do and id like to know how they got there

only things ive downloaded to the server are teamspeak, HELM (which i had problems with so removed) plesk and antvirus

i guess maybe they got there when the server first came online before i got in to do the secuirty updates and firewall?

 

[dragon2611]

the datacenter have been asked to reload the srevers os looks like the thing got pretty badly compromised


used RRAS to firewall it but guess i was to slow in setting it up OR something got downloaded without my knowledge although id like to know how they got in