Re: I've been hacked
From: George Hester (hesterloli_at_hotmail.com)
Date: 05/26/04
- Next message: Branden Wolner: "KB835732 and IE history"
- Previous message: Danny Mingledorff: "Re: Hotmail pop-ups?"
- In reply to: Marcus Smaby: "I've been hacked"
- Next in thread: Dave: "Re: I've been hacked"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 26 May 2004 16:34:53 -0400
Some processes you cannot stop even as Administrator. It is because they are either necessary for Windows to run or they are locked by some other process which you have to find first kill and then kill the one you want to kill.
The fact that the "hacker" comes back so fast but not instantly makes me wonder what your evidence is based on. Can you identify the IP address of what is changing these files? What if you change the permissions on them to say System and Admin only? There is a utility from Microsoft called Port Query. They even have a Service by a similar name. It is called Port Reporter. I believe you let this start automatically and you can monitor your ports over time. I have it but don't use it often.
-- George Hester __________________________________ "Marcus Smaby" <mrsmaby@@@msn.com> wrote in message news:uKujEz1QEHA.964@TK2MSFTNGP10.phx.gbl... > I am having a continuing problem that I can't seem to get a handle on. > Recently, someone hacked into one of our servers. Now, one or twice a day I > see either the file system.exe or netstats.exe appearing in the system32 > folder and in the tasks list. At this point the network is brought to its > knees and it can take me 15 minutes to log into the affected server. I have > checked for references to these two files and I get a hit on system.exe as a > Trojan, but the only hits I get on netstats.exe is as a utility. I have > firewalls. I am at current patch levels on everything. I have Norton > Corporate AV running on all systems but still this continues. I cannot kill > these processes as they come back 'access denied'. My only recourse has been > to rename these files from a CMD prompt, clean out any references from the > registry and reboot. But within the hour, they are back! > > 1. Is there anyway to force a process to die? If I am domain admin, why > would I be denied access? > > 2. Is there any utility that would lock out a given program from starting? > > 3. How can I determine where this is coming from? > > Thanks in Advance. > > Marcus > >
- Next message: Branden Wolner: "KB835732 and IE history"
- Previous message: Danny Mingledorff: "Re: Hotmail pop-ups?"
- In reply to: Marcus Smaby: "I've been hacked"
- Next in thread: Dave: "Re: I've been hacked"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
