Re: hacked server

• Previous message: Roger Abell [MVP]: "Re: hacked server"
• In reply to: TT: "hacked server"
• Next in thread: Mike Herchel: "Re: hacked server"
• Reply: Mike Herchel: "Re: hacked server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 17 Jul 2004 22:19:21 GMT

On Sat, 17 Jul 2004 15:39:56 -0500, "TT" <tonkatrail@hotmail.com>
wrote:

>One of my email servers was hacked. I thought I was being a good little boy
>and keeping up with all the updates, etc., but someone got in anyway. A mild
>hack. It appears they only want a place for an IRC server to communicate.
>Now it's become my challenge to keep them out.. :)
>
>Now my problem is
>1. How did they do it to begin with? This server has no FTP or HTTP service
>running. I was running Terminal Server and I even shut it down. There is
>only 1 user and that's the Administrator for which I have now changed the
>name.
>and
>2. They're continuing to get in after I shut down a couple of small holes
>which I felt were maybe possibilities. When I log in, I see 4 or 5 DOS
>command windows pop up very quickly. So quickly that I can't read anything
>on them. I've searched login scripts, etc., and everyplace I know which
>could initialize when I log in, but I haven't found a thing.
>
>Can someone point me to some additional places to look for init-type
>commands? Maybe some registry entry places?? I've searched for logon and run
>commands and found nothing.

You can check log files, especially firewall logs, but unless you
enabled auditing to begin with you can't check the security logs for
anything.

As for the fix, burn the system down. Wipe, reinstall and restore
data only from a known good backup. You have a back door that you
can't find.

Jeff

• Previous message: Roger Abell [MVP]: "Re: hacked server"
• In reply to: TT: "hacked server"
• Next in thread: Mike Herchel: "Re: hacked server"
• Reply: Mike Herchel: "Re: hacked server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]