w3k server
- From: RKM <RKM@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 3 Sep 2005 15:40:02 -0700
Hi,
I am convinced my server has been compromised. After research I am certain
it has. However, I am still a little unsure as to how and what is going. It
appears that a program called Hacker Defender has been installed, thus hiding
its registry entries and files. I have found two registry entries and certain
tools shows that two exe files have been run, the kicker is those files are
no where to be found, they just do not exist on the system. There was also
log files that were deleted. And I found an odd reg entry with the name of
Andreas Haak, with no subfolders for the key, I assume that the children have
been hidden. It is apparent that the process used utilized something that MS
has designed called Alternate Data Streams(ADS). I have the tools and
instuctions on how to remove this rootkit, but I need a little more insight
on this before I clean it, I have isolated the server so it is useless to
them at the moment. One thing I have not been able to confirn is if w3k
server supports the ADS structure. Does anyone have any sorts of info on
this? Thanks.
.
- Follow-Ups:
- Re: w3k server
- From: Matt Gibson
- Re: w3k server
- Prev by Date: Re: Windows 2003 Packet Filter vs Firewall
- Next by Date: Re: w3k server
- Previous by thread: Windows 2003 Packet Filter vs Firewall
- Next by thread: Re: w3k server
- Index(es):
Relevant Pages
|
