Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

xcopy.exe - New Exploit?

Status
Not open for further replies.
beerhunter2

beerhunter2

MIS
Dec 3, 2002
381
Checking the Task Manager on our Exchange 5.5 server, I noticed approximately 40 to 50 instances of xcopy.exe running. Since this file server is only used for Exchange, there should not be any instances running as far as I know.

This is on a W2K server fully patched and up to the latest security update from Microsoft.

Is there a new exploit that I should be aware of, or has anyone seen this before? There is nothing in the event logs for this, other than when I renamed xcopy.exe, I got event ID 64002 Source: Windows File Protection
File replacement was attempted on the protected system file c:\winnt\system32\xcopy.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.0.2147.1.

Now I have my renamed xcopy.exe.old file, and another copy of xcopy.exe is on this server.

Has anyone seen this issue before? I'd like to plug the hole before the ship sinks. Thanks in advance for your help.

Help! I've fallen and I can't reach my beer.
cheers.gif
 
Sort by date Sort by votes
xcopy is a standard Dos command (along with xcopy32 I believe) Are you sure exchange wasnt archiving mailboxes?

___________________________________
[morse]--... ...--[/morse], Eric.
 
Upvote 0 Downvote
I realize xcopy is a standard Dos command. Just not sure why it would be running 40 to 50 instances in the Task manager.

Would exchange be archiving mailboxes all on its own with no intervention? I am the only IT person at this site, and I was not performing any functions on exchange.

Help! I've fallen and I can't reach my beer.
cheers.gif
 
Upvote 0 Downvote
Do you think it might be worthwhile to sniff the link that the server is hooked up to? see what kind of traffic it is passing. Does the server get used for more than just mail?

___________________________________
[morse]--... ...--[/morse], Eric.
 
Upvote 0 Downvote
Found this this morning:

Apparently, xcopy is one of the files the virus replicates into multiple directories, could be why you are seeing multiple instances of it. I would run the tool, or update your virus scan definitions.

___________________________________
[morse]--... ...--[/morse], Eric.
 
Upvote 0 Downvote
Thanks for everyone's help. It got me investigating a little deeper.

It turns out that the Symantec Updater Batch file for AntiSpam wasn't working properly. It was getting hung up on an xcopy command, waiting for keyboard input. This was set up in the task scheduler to run every day, and every day it would get hung up at the same place.

All should be fine now that I have corrected the problem.

Help! I've fallen and I can't reach my beer.
cheers.gif
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

SamBones
  • Locked
  • Question
Interesting JavaScript Exploit -- JSF**K
Replies
0
Views
164
SamBones
SamBones
ttrsux
  • Locked
  • Question
No internet access on new LAN eth0/2 1
Replies
6
Views
317
iggsterman
iggsterman
kjv1611
  • Locked
  • News
Asus Router Vulnerability Exploited
Replies
0
Views
177
kjv1611
kjv1611
normntwrk
  • Locked
  • Question
new asa5505 - old config
Replies
6
Views
221
normntwrk
normntwrk
cefinla
  • Locked
  • Question
HTTP exploit within Elastix code...asterisk, guidance please
Replies
13
Views
472
cefinla
cefinla

Part and Inventory Search

Sponsor

Back
Top