Re: hacked server

From: Mike Herchel (michael.herchel[_at_)
Date: 07/27/04 

Date: Tue, 27 Jul 2004 11:35:48 -0400

I recommend running a full TCP & UDP port scan on your machine (1-65535) to
verify that there's no back-doors. You may also want to consider reloading
it.

"Jeff Cochran" <jeff.nospam@zina.com> wrote in message
news:40fba56e.291007336@msnews.microsoft.com...
> On Sat, 17 Jul 2004 15:39:56 -0500, "TT" <tonkatrail@hotmail.com>
> wrote:
>
>>One of my email servers was hacked. I thought I was being a good little
>>boy
>>and keeping up with all the updates, etc., but someone got in anyway. A
>>mild
>>hack. It appears they only want a place for an IRC server to communicate.
>>Now it's become my challenge to keep them out.. :)
>>
>>Now my problem is
>>1. How did they do it to begin with? This server has no FTP or HTTP
>>service
>>running. I was running Terminal Server and I even shut it down. There is
>>only 1 user and that's the Administrator for which I have now changed the
>>name.
>>and
>>2. They're continuing to get in after I shut down a couple of small holes
>>which I felt were maybe possibilities. When I log in, I see 4 or 5 DOS
>>command windows pop up very quickly. So quickly that I can't read anything
>>on them. I've searched login scripts, etc., and everyplace I know which
>>could initialize when I log in, but I haven't found a thing.
>>
>>Can someone point me to some additional places to look for init-type
>>commands? Maybe some registry entry places?? I've searched for logon and
>>run
>>commands and found nothing.
>
> You can check log files, especially firewall logs, but unless you
> enabled auditing to begin with you can't check the security logs for
> anything.
>
> As for the fix, burn the system down. Wipe, reinstall and restore
> data only from a known good backup. You have a back door that you
> can't find.
>
> Jeff

Relevant Pages

  • RE: RPc server is unavailable since SP1
    ... After these commands run successfully, ... RPc server is unavailable since SP1 ... >> when the member server update certificate you get the error message RPC ... >> interface security settings before the installation of SP1 will be lost. ...
    (microsoft.public.windows.server.sbs)
  • Re: hacked server
    ... It appears they only want a place for an IRC server to communicate. ... I was running Terminal Server and I even shut it down. ... I've searched login scripts, etc., and everyplace I know which ... >commands and found nothing. ...
    (microsoft.public.windows.server.security)
  • [NT] NetWin DMail Authentication Bypass (dlist.exe) and Format String (dsmtp.exe)
    ... either be used as a small personal mail server or as a 10 Million user ISP ... password hash) when sending the administrative commands. ... the DList server using a numeric hash of the administrative password. ...
    (Securiteam)
  • RE: copy permissions from one user to another?
    ... THIS STORED PROCEDURE GENERATES COMMANDS ... -- ADD USER TO SERVER ... -- CREATE TABLE TO HOLD LIST OF USERS IN CURRENT DATABASE ... -- SET COMMAND TO FIND USER PERMISSIONS HAS IN CURRENT DATABASE ...
    (microsoft.public.sqlserver.security)
  • Re: copy permissions from one user to another?
    ... THIS STORED PROCEDURE GENERATES COMMANDS ... -- ADD USER TO SERVER ... -- CREATE TABLE TO HOLD LIST OF USERS IN CURRENT DATABASE ... -- GRANT USER ACCESS TO SERVER ROLES ...
    (microsoft.public.sqlserver.security)