Getting hacked by trojans, how boring
I noticed today an odd process on my XP server box here at home. Something called "cache.exe" was consuming an awful lot of CPU.
Then I found "wmlapsrv" also, and the files cache.exe, libmysql.dll and system32.exe in "C:\" on the server. wmlapsrv.exe was hidden, in Windows\System32.
There were a bunch of registry keys referring to cache.exe and wmlapsrv.exe too, and a whole pile of socket connections coming out of the box to windows shares and other services on remote computers in places like Germany and Indonesia.
Google shows that cache.exe is obviously some kind of trojan, but I’ve found no references to wmlapsrv.exe on the net.
What really irritated me about this are two things:
- I had specially set aside much of today to spend playing with my wonderful 2yr old daughter. Because of these people wasting my time, that was not possible.
- It’s not clear from XP how they got into the box. It’s all a lot tighter now, but it would be nice to know why it was possible for them to compromise it. Apart from it being windows of course
A quick look at the EXE of wmlapsrv shows references to DCC, lots of peoples’ names and messages relating to an obvious backdoor UI. It seemed to be connecting to remote boxes on port 53 as well as remote network shares.
Please hax0rs, get a job and use your skills instead of wasting the time of millions of people and just making even more money for people like Symantec.
It makes a very compelling case for running only Java server processes on Windows. If only this was possible. I did find info about running PHP under Tomcat instead of Apache which would be part of the way there I guess.
If you could replace Apache with Tomcat and MySQL with something like HSQL, then the only "weak" link on the web serving side would be PHP. The holy grail I suppose would also be to have a fully features SMTP/POP/IMAP daemon in pure Java.
UPDATE: Oh well there’s a clue. Looks like it was the old UDF MySQL exploit, with a userdefined function set to run a DLL. Thanks MySQL
