Hacked and Desperate
From: Bryan (BryanCompton_at_attbi.com)
Date: 05/09/03
- Next message: David Black: "Re: apply default security settings to a converted NTFS partition"
- Previous message: Rich: "Non NT devices can not authenticate with Domain Controller."
- Next in thread: Dmitry Kulshitsky: "Re: Hacked and Desperate"
- Reply: Dmitry Kulshitsky: "Re: Hacked and Desperate"
- Reply: Karl Levinson [x y] mvp: "Re: Hacked and Desperate"
- Reply: Jeff Cochran: "Re: Hacked and Desperate"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 8 May 2003 23:20:55 -0700
Our network has been hacked and I am desperate for
advice. Please help!
As soon as possible I would like to migrate our network
from our current .ORG Win NT Domain to our new .NET Win
2000 Domain. This migration includes going from Exchange
5.5 to Exchange 2000. Our NT 4 PDC, BDC, and Exchange 5.5
are on 6 year old servers. Our Win 2000 DC's and Exchange
2000 will run on newly purchased servers.
I need to migrate to our new system as soon as possible
but I need to make sure that our hacker does NOT migrate
with us. Suggestions would be very helpful and deeply
appreciated.
Here is the full situtation...
We are a headquarters office for a state wide non-profit.
We have a small network with 11 servers and 60
workstations but provide mail and web/ftp services for
several outside offices. The network is NT 4 domain with
3 NT 4(PDC, BDC, and Exchange 5.5) servers and the rest
are 2000. The workstations are all new Win XP with the
exception of our telephone system which is a Win NT 4
workstation.
We run McAfee on everything - servers get hourly updates
and workstations nightly updates. I was evaluating the
free version of AVG anti-virus from GRISoft.COM. On a
whim I ran a scan from my workstation to our web/ftp
server and was shocked when it returned a positive for the
BackDoor.Servu virus. It removed the virus but I was very
concerned and did some checking.
On the web/ftp server I found a large file in an FTP
folder. The folder had non-printable characters so I
could not delete it. That weekend I formatted and
reinstalled our NT4 PDC, NT4 BDC, and Win 2000 web/ftp
server. I tried to change the Admin password but I ran
into issues with exchange so I left exchange with the same
password.
After a service pack reboot I was shocked to see DNS had
already been populated with a ton of outside entries and
notices some additional reverse lookup items that I did
not put in DNS. However, I was not sure if this was Ok or
if something was still "bad".
I checked DHCP and found several "PC Names" that had
bizzar ASCII characters. Our PC's use the last name of
the person assigned to the PC so bizzar ASCII characters
are definately not right. All of the DCHP addresses are
in our 192.168.0.x address range.
I ran WildPackets TCP/IP packet scanner and found a ton of
packets. This was on a weekend night so a ton of traffic
just does not fit our use. I looked into it a bit more
and found what looks to me like voice or maybe music
packets.
I checked our servers to see how hard they were working
and noticed our 6 year old exchange server was working
very hard. I opened up some folders on the server and was
shocked when I was not able to open the WinNT folder. I
had to shut down some services and then it took forever to
load the files into explorer. I found a HUGE number of
directories (34,000+). The folders were all in sequence
with the same extension which was something like "was"
or "wav". It took me hours to remove the files. Then I
looked around some more and found odd files in a folder my
admin user directory, a program that brought up a virtual
keyboard, several JET temporary files (I was able to
delete some of these JET temp files but others are in use
and can not be deleted), and some odd i386 folders.
Since then I did some checking and found a ton of user
related "spy ware" such as hotbar, weatherbug,
doubleclick, etc. but I beleve this is due to my users
loading the software on their PC's.
Thanks for any comments you might give me. I am not sure
what to do at this point.
Bryan
- Next message: David Black: "Re: apply default security settings to a converted NTFS partition"
- Previous message: Rich: "Non NT devices can not authenticate with Domain Controller."
- Next in thread: Dmitry Kulshitsky: "Re: Hacked and Desperate"
- Reply: Dmitry Kulshitsky: "Re: Hacked and Desperate"
- Reply: Karl Levinson [x y] mvp: "Re: Hacked and Desperate"
- Reply: Jeff Cochran: "Re: Hacked and Desperate"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
