Re: hacked server

From: Miha Pihler (miha-news_at_atlantis.si)
Date: 07/17/04 

Date: Sat, 17 Jul 2004 23:43:01 +0200

Also, make sure you clean out your server very good. They could be running
backdoors, etc. Replace _all_ your passwords that you use on your systems.
Check if there are any unknown user accounts created on server. Check for
unknown services, processes running, ... etc. Block _all_ outgoing traffic
but e-mail (and whatever else you may need). This might stop some backdoors,
but be aware that also back doors can communicate over e.g. port 80....

Mike

"Miha Pihler" <miha-news@atlantis.si> wrote in message
news:eZSryZEbEHA.644@tk2msftngp13.phx.gbl...
> Hi,
>
> here are some registry places to look at:
>
> http://www.aaronoff.com/silent_runners/
>
> Mike
>
> "TT" <tonkatrail@hotmail.com> wrote in message
> news:Oo8T6%23DbEHA.2408@tk2msftngp13.phx.gbl...
> > Sorry, I should have specified that this is a workgroup server running
> Win2K
> > SP4 and only has one application running: IpSwitch's IMail
> >
> > "TT" <tonkatrail@hotmail.com> wrote in message
> > news:eRZDJ6DbEHA.2544@TK2MSFTNGP10.phx.gbl...
> > > One of my email servers was hacked. I thought I was being a good
little
> > boy
> > > and keeping up with all the updates, etc., but someone got in anyway.
A
> > mild
> > > hack. It appears they only want a place for an IRC server to
> communicate.
> > > Now it's become my challenge to keep them out.. :)
> > >
> > > Now my problem is
> > > 1. How did they do it to begin with? This server has no FTP or HTTP
> > service
> > > running. I was running Terminal Server and I even shut it down. There
is
> > > only 1 user and that's the Administrator for which I have now changed
> the
> > > name.
> > > and
> > > 2. They're continuing to get in after I shut down a couple of small
> holes
> > > which I felt were maybe possibilities. When I log in, I see 4 or 5 DOS
> > > command windows pop up very quickly. So quickly that I can't read
> anything
> > > on them. I've searched login scripts, etc., and everyplace I know
which
> > > could initialize when I log in, but I haven't found a thing.
> > >
> > > Can someone point me to some additional places to look for init-type
> > > commands? Maybe some registry entry places?? I've searched for logon
and
> > run
> > > commands and found nothing.
> > >
> > > Thanks in Advance
> > > tonka trail at hotmail dot com
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: Win2000 Adv Server Hacking
    ... there are no backdoors, trojans or other nasties. ... > Microsoft MVP - FrontPage ... done and what files indicate a compromise, you may want to check other ... once a server has been ...
    (microsoft.public.inetserver.iis.security)
  • Re: Hidden services/processes in Win2k server
    ... You have no idea what backdoors may be running on it, ... tell you "your system is clean" next to a format and re-install. ... We have recently had some problems with people running telnet server, ... We're also about to install SecureIIS, ...
    (microsoft.public.inetserver.iis.security)
  • Re: Adding a web interface to an exisiting server.
    ... You just need a secondary process/thread ... We did save data in memory to db whenever it changes. ... the parts communicate more efficiently. ... version of the server program. ...
    (comp.programming)
  • Re: xp home drive mapping to 2003 server
    ... Biggest losses by NOT upgrading from Home to professional if you in a Active ... Mike Brannigan ... > You probably figured out that the reason I am asking is because my client> is going to a 2003 server and I am wondering if it is absolutely necessary> to upgrade the XP Home computers. ... Such as,> any consequences with DNS, Symantec Antivirus Corporate Edition, etc.? ...
    (microsoft.public.windowsxp.security_admin)
  • Re: How to monitor encrypted connections...
    ... To capture the SSL there is a MITM technique.Suppoes client wants to ... and then they communicate with the real server. ... when operating in active mode (preventing attacks). ...
    (Focus-IDS)