Re: Hacked

---

• From: Nex6 <nex6@xxxxxxx>
• Date: Tue, 11 Sep 2007 19:31:22 GMT

---

You really need to look hard and every possible point of entry. form existing users to an outside attacker. here are some basic questions to ask yourself:

*is there a hardware firewall between you and the internet? eg are you on a private address space?


*audit every account and group membership.
*audit every possbile place to hide startup scripts and excutables, both in the registry and start menu

*increase event logging to FULL, eg: in secpol.msc check both boxes on all audit policys


*run both nbtstat and netstat and investigate all conntections.


*consider, having every user reset his/her passwords, and reset all service accounts. and old or temp accounts reset or disable

That should give you a pretty good start.


-Nex6

On Mon, 10 Sep 2007, James Matthews wrote:

Not always does someone hack using an exploit! Sometimes they crack the passwords etc... You have to consider every and any point of intrusion

--

http://www.goldwatches.com/
http://www.jewelerslounge.com/
"Newell White" <NewellWhite@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:D35907B2-F92A-4CBA-AF04-D3FC556D723E@xxxxxxxxxxxxxxxx

Record the modified and created dates on the installed files and their
containing folders. This will give you some clue as to the time window you
should search in the Security log using Event Viewer - should give you IP of
computer originating any login request.

What is your network topology?
Anti-virus software won't help.
Do you have hardware firewall between server and the wicked outside world?
If so, and it is configured correctly, this is most likely an inside job.
--
Newell White


"SuperSlueth" wrote:

I'm running exchange 2003 on server 2003 with all the latest patches and
fixes applied. I have the latest version of norton corperate antivirus with
all the updates.
I've done a full scan and the server is clean.
Yet every 2 or 3 days I see that a new user has been added "hello5" and
programs have been installed.
I can delete the programs and the user I've disabled remote desktop and
changed the admin password, but still this person still gets to the server.
does anyone have any idea how to find out where he comes in from and how to
block it

.

---

• References:
  • Re: Hacked
    • From: James Matthews

• Prev by Date: Re: Hacked
• Next by Date: Re: Hacked
• Previous by thread: Re: Hacked
• Next by thread: Re: Hacked
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Hacked ... *consider, having every user reset his/her passwords, and reset all service accounts. ... I've done a full scan and the server is clean. ... (microsoft.public.security) Re: Hacked ... *consider, having every user reset his/her passwords, and reset all service accounts. ... I've done a full scan and the server is clean. ... (microsoft.public.security) Re: Hacked ... *consider, having every user reset his/her passwords, and reset all service accounts. ... I've done a full scan and the server is clean. ... (microsoft.public.security) Re: Hacked ... *consider, having every user reset his/her passwords, and reset all service accounts. ... I've done a full scan and the server is clean. ... (microsoft.public.security) Sending email to mydomain.com ... They do not offer an smtp server, ... different from the user account names for the exchange ... I added one user account in the POP3 Mailbox Accounts ... (microsoft.public.windows.server.sbs)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)