Re: Compromised Server? Anyone recognize the suspect Services?

Apparently somebody hacked in through a nearly wide open front door,
Remote
Desktop on a standard port. Also installed were 2 network packet sniffing
programs PacketX and WinPcap.
I went into Task Manager and killed a program I did not recognize
netman24.exe. I killed it and also saw about 12 instances of
CheckingThread.exe disappear.

I did not want to click the Close button in the program because who knows
what that might have done.

<Snip>
Anyone else seen anything like this or recognize these programs as valid?
I have not yet removed them from the server.

I have since made some changes to re-secure the server.

You *think* you have re-secured the server. There is no way to really be
sure the hacker didn't put in a backdoor that he will have access to once
you "secure" the server again. There is no way to tell if he renamed one of
his files "notepad" and when you try to open it, his file also opens your
server up. You should *really* consider rebuilding this server and restoring
from backups before the breach. There is just no way to tell all he did and
clean up *everything*.

hth
DDS



"John Kotuby" <JohnKotuby@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ubXM7I5UIHA.5524@xxxxxxxxxxxxxxxxxxxxxxx
Hi all,

Note: this is cross-posted on the Server.Security group but there is
little action there.

We lease a non-managed Web Server running AV software but no IDS. It is
Windows 2003 STD which receives automatic nightly Windows Security patches
at
3AM.

When I logged into the RDP console on Monday I saw what looked like a
Password Cracking software running with the name at the top of the window
E-Security. It looks like it had gone through 69,914,496 permutations
already.

Apparently somebody hacked in through a nearly wide open front door,
Remote
Desktop on a standard port. Also installed were 2 network packet sniffing
programs PacketX and WinPcap.
I went into Task Manager and killed a program I did not recognize
netman24.exe. I killed it and also saw about 12 instances of
CheckingThread.exe disappear.

I did not want to click the Close button in the program because who knows
what that might have done.

Looking in Services, right under Network Connections there were 3 other
similar services all claiming to be Microsoft.
Network Connections 24
Network Connections 32
Network Connections 64

Doing a search on Microsoft for netman24.exe brought up nothing.
Doing a similar search on Google brought up nothing.
Same for Symantec.

I changed the Startup Option on Network Connections 24 from Automatic to
Manual. I have not gotten rid of those services or programs yet in case
they
are valid.

Maybe the connection between netman24.exe being killed and
CheckingThread.exe instances disappearing was coincidental but I don't
think
so.

Anyone else seen anything like this or recognize these programs as valid?
I have not yet removed them from the server.

I have since made some changes to re-secure the server. I need to learn
how
to quickly set up VPN access using only a remote connection...such that I
can configure it first and then still have access to to the desktop after
it
is activated, if that is possible. I don't need an article steeped in
theory
and we are not talking active directory, just a standalone Win2003 STD
remote server. So I am looking for a setup that uses only 1 server for
both
VPN and Remote Desktop Access. If someone can point me to such an article
or
tutorial I will be grateful. I am a software developer under a very tight
schedule, not a trained server manager.



Thanks for any input...

--
"Building a better mouse trap doesn''''t necessarily make it better for
the
mouse."





.

Loading