# Hundreds of net.exe, net1.exe and cmd.exe?!?



## ToXiCaTioN.d (Jul 2, 2008)

I run a small apache server with a MySQL server. Nothing huge, just a few files on my server. It is accessible outside of my network, but not many people know about it. Everything will be fine and dandy, then all of a sudden I can no longer access the web. So I log into remote desktop and see that I have *400* processes running!! They're all net.exe, net1.exe and cmd.exe. And I don't think they'd stop if I didn't restart apache. (if I restart apache they all go away, sometimes coming back right after the restart)

Now, I do believe that these are legit programs. But, I don't have an antivirus I just have Malwarebytes which comes back clean after a quick scan. This apache / mysql / ftp (which is rarely on cause it doesn't work) is from XAMPP.

Is there some exploit I am missing that maybe others know and I don't or is there something horribly wrong with the configuration? Please help me, I don't know what to do.

I am running a Server 2003 box. Thank you!


----------



## peterh40 (Apr 15, 2007)

Code be a Code Red or Nimba virus.

Check server using Stinger tool or an online AV tool:
http://vil.nai.com/vil/stinger/
and
http://www.f-secure.com/v-descs/nimda.shtml

and

http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

I suggest you get hold a AV program for your server ASAP or disconnect it from the internet.


----------



## ToXiCaTioN.d (Jul 2, 2008)

This was actually caused by a script. I don't understand why PHP, by default, has access to execute programs.


----------

