RE: Server Hacked - Assessment and Prevention

From: john d (johnd_at_discussions.microsoft.com)
Date: 05/18/05


Date: Wed, 18 May 2005 09:50:54 -0700

This machine was/is 100% patched.

Also, the ftp.scr script simply contained the following line:
get wget.exe

Also, on the one machine, although FTP is enabled, Allow Anonymous is not.
The other machine does not have FTP running at all.

Reformatting is not an option right now.

I've looked for the following:
- Any weird programs installed - none
- Any new directories - none
- Any weird user accounts - none
- Any weird ports connected - none

I have also since changed the local administrator password.

My assumption is that the system account was compromised. If it was, how
can I prevent someone from regaining access using this account?