Re: hacked server

From: TT (tonkatrail_at_hotmail.com)
Date: 07/17/04

Next message: Miha Pihler: "Re: hacked server"
Previous message: TT: "hacked server"
In reply to: TT: "hacked server"
Next in thread: Miha Pihler: "Re: hacked server"
Reply: Miha Pihler: "Re: hacked server"
Reply: Roger Abell [MVP]: "Re: hacked server"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 17 Jul 2004 15:48:26 -0500

Sorry, I should have specified that this is a workgroup server running Win2K
SP4 and only has one application running: IpSwitch's IMail

"TT" <tonkatrail@hotmail.com> wrote in message
news:eRZDJ6DbEHA.2544@TK2MSFTNGP10.phx.gbl...
> One of my email servers was hacked. I thought I was being a good little
boy
> and keeping up with all the updates, etc., but someone got in anyway. A
mild
> hack. It appears they only want a place for an IRC server to communicate.
> Now it's become my challenge to keep them out.. :)
>
> Now my problem is
> 1. How did they do it to begin with? This server has no FTP or HTTP
service
> running. I was running Terminal Server and I even shut it down. There is
> only 1 user and that's the Administrator for which I have now changed the
> name.
> and
> 2. They're continuing to get in after I shut down a couple of small holes
> which I felt were maybe possibilities. When I log in, I see 4 or 5 DOS
> command windows pop up very quickly. So quickly that I can't read anything
> on them. I've searched login scripts, etc., and everyplace I know which
> could initialize when I log in, but I haven't found a thing.
>
> Can someone point me to some additional places to look for init-type
> commands? Maybe some registry entry places?? I've searched for logon and
run
> commands and found nothing.
>
> Thanks in Advance
> tonka trail at hotmail dot com
>
>

Next message: Miha Pihler: "Re: hacked server"
Previous message: TT: "hacked server"
In reply to: TT: "hacked server"
Next in thread: Miha Pihler: "Re: hacked server"
Reply: Miha Pihler: "Re: hacked server"
Reply: Roger Abell [MVP]: "Re: hacked server"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: RPc server is unavailable since SP1
... After these commands run successfully, ... RPc server is unavailable since SP1 ... >> when the member server update certificate you get the error message RPC ... >> interface security settings before the installation of SP1 will be lost. ...
(microsoft.public.windows.server.sbs)
Re: hacked server
... It appears they only want a place for an IRC server to communicate. ... I was running Terminal Server and I even shut it down. ... I've searched login scripts, etc., and everyplace I know which ... >commands and found nothing. ...
(microsoft.public.windows.server.security)
[NT] NetWin DMail Authentication Bypass (dlist.exe) and Format String (dsmtp.exe)
... either be used as a small personal mail server or as a 10 Million user ISP ... password hash) when sending the administrative commands. ... the DList server using a numeric hash of the administrative password. ...
(Securiteam)
RE: copy permissions from one user to another?
... THIS STORED PROCEDURE GENERATES COMMANDS ... -- ADD USER TO SERVER ... -- CREATE TABLE TO HOLD LIST OF USERS IN CURRENT DATABASE ... -- SET COMMAND TO FIND USER PERMISSIONS HAS IN CURRENT DATABASE ...
(microsoft.public.sqlserver.security)
Re: copy permissions from one user to another?
... THIS STORED PROCEDURE GENERATES COMMANDS ... -- ADD USER TO SERVER ... -- CREATE TABLE TO HOLD LIST OF USERS IN CURRENT DATABASE ... -- GRANT USER ACCESS TO SERVER ROLES ...
(microsoft.public.sqlserver.security)