Re: Please Help! Hijacked Network!
From: Dave Podschweit (davep_at_tbc.net)
Date: 03/31/04
- Next message: Bryan: "Server stopped showing in Network Places"
- Previous message: jeremy: "Out of office assistnant"
- In reply to: PLD: "Please Help! Hijacked Network!"
- Next in thread: PLD: "Re: Please Help! Hijacked Network!"
- Reply: PLD: "Re: Please Help! Hijacked Network!"
- Messages sorted by: [ date ] [ thread ]
Date: 31 Mar 2004 12:07:32 -0800
One thing that I have seen occur very recently is that there are some
"service hijackers" ,for lack of a better phrase, running around out
there. On 2 seperate networks with 2 seperate servers I have found
rogue services running that actually prevent the real services that
the network needs/uses from functioning correctly. I would recommend
going through the service list on the "infected?" machine and setting
unknown services to disabled and making sure that all of the normal
ones are running and in a startup state that is "normal" You may want
to build up a test box to see what services are set to by default so
that you have a list to look at while you are doing this. There may
also be a complete list of default services and their startup type
listed on Microsofts site somewhere. I have never personally looked.
I do agree that this is a result of poor lock down, or user related,
but I do not know how these things got on the machines I found them
on. I am a consultant so I have the "advantage" of seeing Real World
problems in many different types of Real World enviroments.
I hope this helps you to fix your problem without having to
format/reinstall, but if it comes down to it that may be your only
option.
Above posts about Ad Aware/Spybot/etc. Will track down many problems
but not this one.
Dave Podschweit
TBC Net, Inc.
"PLD" <anonymous@discussions.microsoft.com> wrote in message news:<1640e01c41733$41658640$a301280a@phx.gbl>...
> Thanks for everyone's feedback and insights! The SBS box
> and the network itself is locked down - only select ports
> are open for services like IIS, SMTP, POP3, etc. I've
> never encountered this problem on NT or 2000 networks in
> the past. This problem started shortly after installing
> ISA 2000 (in an effort to reduce spam). No file sharing or
> extraneous software runs on this box. I think my mistake
> was to allow Exchange to save stripped "unsafe"
> attachments in a folder on the HD rather than deleting
> them altogether. My guess is that one of these files self-
> executed and proliferated on the box (probably disabled
> NAV too to prevent detection).
>
> I appreciate everyone's input - especially the tools for
> detecting spyware/malware and examining running programs.
> Looks like the current configuration is set to allow
> unauthenticated users within the network to relay (my
> thanks to Tony Su). I can fix this part and clean up the
> Exchange queues. The hard part remains identifying the
> hidden executable responsible for generating these
> messages.
- Next message: Bryan: "Server stopped showing in Network Places"
- Previous message: jeremy: "Out of office assistnant"
- In reply to: PLD: "Please Help! Hijacked Network!"
- Next in thread: PLD: "Re: Please Help! Hijacked Network!"
- Reply: PLD: "Re: Please Help! Hijacked Network!"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
