Re: w3k server

I would check out the rootkit tool from http://www.sysinternals.com there
is also a tool they also have called autoruns.exe that would show all the
EXE's that load in the registry at boot time. Between these two you can
identify most everything.

--
Thank you,

Steve Schofield
Microsoft MVP - ASP/ASP.NET
ASPInsider Member - MCP

http://www.orcsweb.com/
Powerful Web Hosting Solutions
#1 in Service and Support

"RKM" <RKM@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:CFB83D29-DDB9-49F2-B637-C3B791C36573@xxxxxxxxxxxxxxxx
> Reformatting this server is not an option at the moment, only as a last
> resort when every thing else has been exhausted. I know there is something
> there, Like I said I have the tools and such to clean it, I am just not
> ready
> yet. It has been isolated and no further harm can come of it, myself and
> IT
> security are working close with this and we just want to disect it to get
> grasp on this.
>
> "Matt Gibson" wrote:
>
>> You don't clean rootkits.
>>
>> You format, and start from scratch.
>>
>> Matt Gibson - GSEC
>>
>> "RKM" <RKM@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:87075C1E-4045-406F-AB68-76D608A76839@xxxxxxxxxxxxxxxx
>> > Hi,
>> > I am convinced my server has been compromised. After research I am
>> > certain
>> > it has. However, I am still a little unsure as to how and what is
>> > going.
>> > It
>> > appears that a program called Hacker Defender has been installed, thus
>> > hiding
>> > its registry entries and files. I have found two registry entries and
>> > certain
>> > tools shows that two exe files have been run, the kicker is those files
>> > are
>> > no where to be found, they just do not exist on the system. There was
>> > also
>> > log files that were deleted. And I found an odd reg entry with the name
>> > of
>> > Andreas Haak, with no subfolders for the key, I assume that the
>> > children
>> > have
>> > been hidden. It is apparent that the process used utilized something
>> > that
>> > MS
>> > has designed called Alternate Data Streams(ADS). I have the tools and
>> > instuctions on how to remove this rootkit, but I need a little more
>> > insight
>> > on this before I clean it, I have isolated the server so it is useless
>> > to
>> > them at the moment. One thing I have not been able to confirn is if w3k
>> > server supports the ADS structure. Does anyone have any sorts of info
>> > on
>> > this? Thanks.
>>
>>
>>


.

Relevant Pages

  • Re: w3k server
    ... Reformatting this server is not an option at the moment, ... > You don't clean rootkits. ... >> its registry entries and files. ...
    (microsoft.public.windows.server.general)
  • Re: Winlogon notification dll doesnt work on 2003 server
    ... Thanks Hao, you are right. ... I tried it on a clean 2003 server and it works ... The registry entries were correct, most likely it was some other ...
    (microsoft.public.platformsdk.security)
  • Re: Server hacked?
    ... There seems to be some kind of rootkit running on your server. ... Active Internet connections ...
    (Ubuntu)
  • Re: exploit or human
    ... so on) while some other software runs just fine makes the rootkit ... the hdd from the possibly compromised machine, ... before making any server accessible from the Internet. ... What is interesting is that this hard-disk failure ...
    (Incidents)
  • RE: root_drv.sys rootkit
    ... > to find any other listening ports on that box (accomplished ... > I have a Windows 2003 Web Edition Server that has been compromised due ... > The question is that now this server have a rootkit installed. ...
    (Focus-Microsoft)