svchost exploit on ports 80, 443 &21
From: Alastair Smith (asmith_at_c-it.co.uk)
Date: 04/05/04
- Next message: Alan Illeman: "Re: Kerio 4 very much slow than 2.1.5"
- Previous message: Daisho2000: "Kerio 4 very much slow than 2.1.5"
- Next in thread: Duane Arnold: "Re: svchost exploit on ports 80, 443 &21"
- Reply: Duane Arnold: "Re: svchost exploit on ports 80, 443 &21"
- Reply: Bluto: "Re: svchost exploit on ports 80, 443 &21"
- Reply: Walter Geromel: "Re: svchost exploit on ports 80, 443 &21"
- Maybe reply: davidm: "Re: svchost exploit on ports 80, 443 &21"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 4 Apr 2004 15:20:52 -0700
Hi,
I have a customers server that has been hacked and I'm running out of
time on fixing the problem.
Each time the server starts up svchost.exe loads using ports 80, 443,
21 and a couple of others that it blatantly shouldn't - as you can
guess this stops any IIS services from running correctly.
When the users try to use features such as Outlook Web Access an
alternate page is displayed showing a large scull and starting with
the text "Hello dear FxPer!" and displaying a few statistics off the
server such as its uptime etc, it closes with a gloat from the hacker
stating the server was "hacked by a good hacker".
I can easily cure this by simply killing the instance of svchost.exe
that is occupying the ports I want then restarting the IIS sites, but
this always returns after a restart so it's getting a bit boring now.
The technical details of the server are as follows: -
Windows 2000 Small Business Server with SP4, Exchange 2000 SP3, IE6
sp1 and all other Microsoft critical updates.
McAfee Netshield.
Note: - At the time when the problem started the server was just
running SP3 with no other updates.
I have scanned the registry for any unusual programs running on
startup and can't see anything.
I have run several Trojan Scans and I have also run the Symantec fix
tool for the Welchia virus but nothing has been found.
Does anyone have any info on this problem ?
Any help is greatly appreciated, the hackers home address would be
even more appreciated! ;-)
Cheers
Alastair
- Next message: Alan Illeman: "Re: Kerio 4 very much slow than 2.1.5"
- Previous message: Daisho2000: "Kerio 4 very much slow than 2.1.5"
- Next in thread: Duane Arnold: "Re: svchost exploit on ports 80, 443 &21"
- Reply: Duane Arnold: "Re: svchost exploit on ports 80, 443 &21"
- Reply: Bluto: "Re: svchost exploit on ports 80, 443 &21"
- Reply: Walter Geromel: "Re: svchost exploit on ports 80, 443 &21"
- Maybe reply: davidm: "Re: svchost exploit on ports 80, 443 &21"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
