Re: hacked server
From: Henning Krause (newsgroup.no_at_spam.infinitec.de)
Date: 07/18/04
- Next message: Asfizal: "Re: Cannot logon to Windows 2003 Server from client PC."
- Previous message: Jeff Cochran: "Re: hacked server"
- In reply to: Miha Pihler: "Re: hacked server"
- Next in thread: Roger Abell [MVP]: "Re: hacked server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 18 Jul 2004 10:11:19 +0200
Try autoruns from Sysinternals. It has a GUI and lists all things that are
started during boot. Another great tool is the process explorer. It lists
every process that runs on the machine along with numerous other
information.
Greetings,
Henning Krause
==========================
Visit my website: http://www.infinitec.de
Try my free Exchange Explorer: Mistaya
(http://www.infinitec.de/?page=products)
"Miha Pihler" <miha-news@atlantis.si> wrote in message
news:ux#LKcEbEHA.4048@TK2MSFTNGP10.phx.gbl...
> Also, make sure you clean out your server very good. They could be running
> backdoors, etc. Replace _all_ your passwords that you use on your systems.
> Check if there are any unknown user accounts created on server. Check for
> unknown services, processes running, ... etc. Block _all_ outgoing traffic
> but e-mail (and whatever else you may need). This might stop some
backdoors,
> but be aware that also back doors can communicate over e.g. port 80....
>
> Mike
>
> "Miha Pihler" <miha-news@atlantis.si> wrote in message
> news:eZSryZEbEHA.644@tk2msftngp13.phx.gbl...
> > Hi,
> >
> > here are some registry places to look at:
> >
> > http://www.aaronoff.com/silent_runners/
> >
> > Mike
> >
> > "TT" <tonkatrail@hotmail.com> wrote in message
> > news:Oo8T6%23DbEHA.2408@tk2msftngp13.phx.gbl...
> > > Sorry, I should have specified that this is a workgroup server running
> > Win2K
> > > SP4 and only has one application running: IpSwitch's IMail
> > >
> > > "TT" <tonkatrail@hotmail.com> wrote in message
> > > news:eRZDJ6DbEHA.2544@TK2MSFTNGP10.phx.gbl...
> > > > One of my email servers was hacked. I thought I was being a good
> little
> > > boy
> > > > and keeping up with all the updates, etc., but someone got in
anyway.
> A
> > > mild
> > > > hack. It appears they only want a place for an IRC server to
> > communicate.
> > > > Now it's become my challenge to keep them out.. :)
> > > >
> > > > Now my problem is
> > > > 1. How did they do it to begin with? This server has no FTP or HTTP
> > > service
> > > > running. I was running Terminal Server and I even shut it down.
There
> is
> > > > only 1 user and that's the Administrator for which I have now
changed
> > the
> > > > name.
> > > > and
> > > > 2. They're continuing to get in after I shut down a couple of small
> > holes
> > > > which I felt were maybe possibilities. When I log in, I see 4 or 5
DOS
> > > > command windows pop up very quickly. So quickly that I can't read
> > anything
> > > > on them. I've searched login scripts, etc., and everyplace I know
> which
> > > > could initialize when I log in, but I haven't found a thing.
> > > >
> > > > Can someone point me to some additional places to look for init-type
> > > > commands? Maybe some registry entry places?? I've searched for logon
> and
> > > run
> > > > commands and found nothing.
> > > >
> > > > Thanks in Advance
> > > > tonka trail at hotmail dot com
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Next message: Asfizal: "Re: Cannot logon to Windows 2003 Server from client PC."
- Previous message: Jeff Cochran: "Re: hacked server"
- In reply to: Miha Pihler: "Re: hacked server"
- Next in thread: Roger Abell [MVP]: "Re: hacked server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
