AdmBr

Hi itman, The breach seems to be in the Jboss application (web service from Red Hat). It is a dependency that is embedded in (and installed automatically together with) one of our systems (TOTVS ECM) installed in this server. Last night I killed all odd cmd commands and disabled our firewall rule (physical one) that allowed external/remote access to the aforementioned system; since then, I haven't seen the odd cmd commands running so far. It seems the problem is solved (a workaround) as long as I don't re-enable, in our firewall, the external access to that Jboss port of this server. Regarding the odd powershell scripts, they apparently stopped showing up since last week right after I updated all JAVA and MySql server components. I'll let you guys know if something strange happens again. Thank you both for your support and attention. Without your help I wouldn't be able to troubleshoot it.

Hi itman. Today I noticed that only odd CMD commands returned. As JamesR said, probably updating JAVA and MYSQL helped to mitigate the problem. FYI, find below the ESET log from today: I'll wait for odd CMD processes return then I'll generate more information for you guys. Thank you both for being supportive.

This is what is set on the server: I don't no anything about powershell. What would you advise me to do regarding the powershell policy above?

Ok, I just did that. Hopefully he'll join us to help me Thanks!

Hi itman, Thank you for your support. I don't have weblogic installed on the server, and I still don't know what was the breach exploited in it. Yesterday I updated all Java and MySql softwares that are installed on this server: P.S.: 'MySQL Utilities is already on its latest version (1.6.5) (that's way on the 'Installed Date', shown above, it is 30th July 2017 because at that time it was already on the latest version). Should I look into something else? Right now I'm running (again) Microsoft Safety Scanner.

Dear mates, I have a Windows Server 2012 machine with 'ESET File Security 6' antivirus installed and somehow it got a malware. It seems I got the same malware described in this thread: https://forum.eset.com/topic/14143-powershell-script-100-cpu-load-malicious-attack/ Below I took some prints from our server task manager now: I changed all user passwords and ran these commands below: Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter "__Path LIKE '%SCM Event Logs Consumer%'" | Remove-WMIObject -Verbose Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name='SCM Event Logs Consumer'" | Remove-WMIObject -Verbose Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='SCM Event Logs Filter'" | Remove-WMIObject -Verbose ([WmiClass]'root\default:Office_Updater') | Remove-WMIObject -Verbose But the last one (([WmiClass]'root\default:Office_Updater') | Remove-WMIObject -Verbose) presented an error: I am unable to get rid of it and would appreciate some help. Would someone kindly be able to assist me?