'System' user making changes?


#1

Hi. This is the situation: I got infected with some malware a few months ago and it got access to the modem and is aboe to change the DNS.
Needless to say, all devices are affected by this and I can not log in and change the password no matter how hard I try. Already changed the modem and the issue persists.

Now to the router: I started to notice that sometimes on the Log it shows ‘System login succesful’ but its a few seconds before I logged in and it shows a separate entry, ‘admin login succesful’ shows on another entry.

Is there an account called System that this malware might be using?

Aother symptom Inhave noticed is that the changes I make have no effects or the ‘Apply settings’ text doesnt show up until I save several other changes which makes me think that something else may have taking control of the router.

All this happened while I’m offline which makes everything even more weird.

The DNS setup to forward everything to google dnss have no effect either.

Any help is appreciated.

edit: Another thing Ive noticed is ‘changes applied succesfully’ at times where I did not apply anything and also the ‘apply settings’ option being highlighted radomly when Im just browsing the categories. Also I created a Vlan and it showed up as “being used” when I wasnt using it.


#2

Yes, you were hit with a malware that was likely introduced via an IIS web server inside your network that has port 80 being forwarded to from your external IP. The exploit uses system credentials to create a local admin account on the server called IUSR_Srvr. There is a legitimate IUSR_ServerName account that gets created as part of installing IIS; the IUSR_Srvr is a hacker’s account. From what you’re describing, the malware is still active. The malware sets the web server’s DNS servers in it’s IPv4 settings to public servers, which will make it unlikely for you to be able to log into it with domain credentials. I don’t believe your modem or Peplink router have anything to do with this problem. The IIS server was improperly locked down by default.

Suspend the port-forwarding to this web server;
Go through the ‘msconfig’ and review oddities in your startup and new non-Microsoft services that have been created;
Change all the passwords that would have been used on this server, because a key-logger is often part of this malware;
Review the task scheduler to determine whether the malware will renew itself after you clean it out
If there isn’t any critical data on this server that changes day to day, restore a backup (if you have one) from prior to when the problems started happening.

If you are able to recover from the malware, don’t put the web server back online until you can properly secure it. For your sake, cross your fingers and hope I’m wrong. Good luck.


#3

Please open a support ticket here for support team to check.