Compromised Server? Anyone recognize the suspect Services?

Hi all,

Note: this is cross-posted on the Server.Security group but there is little
action there.

We lease a non-managed Web Server running AV software but no IDS. It is
Windows 2003 STD which receives automatic nightly Windows Security patches
at
3AM.

When I logged into the RDP console on Monday I saw what looked like a
Password Cracking software running with the name at the top of the window
E-Security. It looks like it had gone through 69,914,496 permutations
already.

Apparently somebody hacked in through a nearly wide open front door, Remote
Desktop on a standard port. Also installed were 2 network packet sniffing
programs PacketX and WinPcap.
I went into Task Manager and killed a program I did not recognize
netman24.exe. I killed it and also saw about 12 instances of
CheckingThread.exe disappear.

I did not want to click the Close button in the program because who knows
what that might have done.

Looking in Services, right under Network Connections there were 3 other
similar services all claiming to be Microsoft.
Network Connections 24
Network Connections 32
Network Connections 64

Doing a search on Microsoft for netman24.exe brought up nothing.
Doing a similar search on Google brought up nothing.
Same for Symantec.

I changed the Startup Option on Network Connections 24 from Automatic to
Manual. I have not gotten rid of those services or programs yet in case they
are valid.

Maybe the connection between netman24.exe being killed and
CheckingThread.exe instances disappearing was coincidental but I don't think
so.

Anyone else seen anything like this or recognize these programs as valid? I
have not yet removed them from the server.

I have since made some changes to re-secure the server. I need to learn how
to quickly set up VPN access using only a remote connection...such that I
can configure it first and then still have access to to the desktop after it
is activated, if that is possible. I don't need an article steeped in theory
and we are not talking active directory, just a standalone Win2003 STD
remote server. So I am looking for a setup that uses only 1 server for both
VPN and Remote Desktop Access. If someone can point me to such an article or
tutorial I will be grateful. I am a software developer under a very tight
schedule, not a trained server manager.



Thanks for any input...

--
"Building a better mouse trap doesn''''t necessarily make it better for the
mouse."



.

Loading