Re: server is being hacked
- From: comphelp@xxxxxxxxx (Todd H.)
- Date: 05 Feb 2008 09:41:16 -0600
"joseph.rosario@xxxxxxxxx" <joseph.rosario@xxxxxxxxx> writes:
every month I am finding either one or two services that are hack
services. I delete the files and clean the service in the registry
then between 1 and 3 months a new hack is on my server. I have
symantec 10.2 and symantec for exchange and a barracuda on the outside
of my network. Can any one help to find the root of this issue. I use
the normal tools like rootkit revealer and aports for scanning my
ports but still they get in. I check my server a few times a day and
usually I catch it within a day but that might be to late. My updates
and patches are up to date. I am running SBS 2003 sp2 and exchange
2003 sp1.
Hi Joseph,
Sorry to hear of your struggles. You need to follow the standard
procedure for recovering from a malware infection:
o remove teh box from the network
o pull data off to another advice and/or image the drive
(including slack space) for later reference or a forensic
analysis
o repartition, reformat and reinstall the OS from original
media
If you want a root cause (or as close to a root cause as you'll get,
depending on the attacker's skill), engage a security firm to do
forensic analysis of the box. This is also sold as "incident
response" service. It's not cheap.
Trying to patch/remove things flagged by a commercial product is like
trying to use a bandaid to cure skin cancer, I'm afraid. You have no
way of knowing you got everything.
Best Regards,
--
Todd H.
http://www.toddh.net/
.
- References:
- server is being hacked
- From: joseph.rosario@xxxxxxxxx
- server is being hacked
- Prev by Date: Re: server is being hacked
- Next by Date: NetBotz and APC
- Previous by thread: Re: server is being hacked
- Next by thread: NetBotz and APC
- Index(es):
Relevant Pages
|
