Re: possible hacking on my network

Tech-Archive recommends: Speed Up your PC by fixing your registry

Thanks!

"Henrik" <hear01@xxxxxxxxxxx> wrote in message
news:uJNRAWgUIHA.2000@xxxxxxxxxxxxxxxxxxxxxxx
First you can do Is to check in add/remove programs to check if you can
uninstall the app from there.

Second, to disable any third part autorun services/apps, click, start/run/
and write msconfig and then click enter.

In the window that appear, click the services tab, heck the button in the
below part of the window, Hide all MS Services.

Then check the left over services in the window for non-essentiol services
to disable. Be carefull though not to uncheck needed services. You can
google them one at a time to see what they are before decide.

Then go to the tab Startup to see the autostarted app that has autorun
configured in the registry.
The same goes hee, uncheck the serices/apps that not needed or shouldnt be
there.

A tool thats provided by MS is Autoruns..
http://technet.microsoft.com/sv-se/sysinternals/bb963902(en-us).aspx

This tool gives you an overview of settings and apps that runs on your
server.

Not to forget!!
Check your server for viruses with a god anti-virus software and make sure
you have a successfull (more the one) backup made before taking any
measures.

Most of the professionals here with titles such as MVP often recommends
Trend Micro Anti Virus products (SCM i think).
:-)

If this Is still to much for you to handle, some one of the guys can give
you a pointer to a recomended SBS consultant.

Good luck

--
Henrik Arenblad, MCP SBS,
http://support.microsoft.com/kb/q555375 http://www.google.com/
Windows Small Business Server 2003 Technical Library
http://technet2.microsoft.com/WindowsServerSolutions/SBS/en/library/07fe109b-1421-4052-acc2-d2898afc0d951033.mspx?mfr=true


"Mike Webb" <Mike_Webb@xxxxxxxxxxxxxxxxx> wrote in message
news:eAsJhHgUIHA.4280@xxxxxxxxxxxxxxxxxxxxxxx
I need help with these; is this the appropriate newsgroup, or should I go
to a security-specific newsgroup?

"Henrik" <hear01@xxxxxxxxxxx> wrote in message
news:uX9qR%23fUIHA.3916@xxxxxxxxxxxxxxxxxxxxxxx
Then you realy, realy need to look into It, if you dont use it, dont
know how It got there (if you dont?), it shouldnt be there.
That goes for all third party apps on the server, dont install things
that you dont need or dont know what it is.

--
Henrik Arenblad, MCP SBS,
http://support.microsoft.com/kb/q555375 http://www.google.com/
Windows Small Business Server 2003 Technical Library
http://technet2.microsoft.com/WindowsServerSolutions/SBS/en/library/07fe109b-1421-4052-acc2-d2898afc0d951033.mspx?mfr=true




"Mike Webb" <Mike_Webb@xxxxxxxxxxxxxxxxx> wrote in message
news:uuJDW4fUIHA.5524@xxxxxxxxxxxxxxxxxxxxxxx
I'm not using BlackIce; don't really know what it is.

"Steve" <newsgroup@xxxxxxxxxx> wrote in message
news:OYPYldYUIHA.476@xxxxxxxxxxxxxxxxxxxxxxx
Why are you using Black Ice on your server?

"Mike Webb" <Mike_Webb@xxxxxxxxxxxxxxxxx> wrote in message
news:OleJz2XUIHA.5160@xxxxxxxxxxxxxxxxxxxxxxx
Thanks!

"Henrik" <hear01@xxxxxxxxxxx> wrote in message
news:%23PXgEgXUIHA.2000@xxxxxxxxxxxxxxxxxxxxxxx
blackice icecap is a firewall system made by www.iss.net ... You
somehow have port 8081 open and 8081 is used for ice-cap remote
administration I believe.. so it probably "thinks" that it's
icecap....
do netstat and see what's using that port ..


--
Henrik Arenblad, MCP SBS,
http://support.microsoft.com/kb/q555375 http://www.google.com/
Windows Small Business Server 2003 Technical Library
http://technet2.microsoft.com/WindowsServerSolutions/SBS/en/library/07fe109b-1421-4052-acc2-d2898afc0d951033.mspx?mfr=true


"Joe" <joe@xxxxxxxxxxxxxx> wrote in message
news:O7QtFQXUIHA.2000@xxxxxxxxxxxxxxxxxxxxxxx
Mike Webb wrote:
Used a new tool just now to look at my server (Look@Lan), as our
internet access is very slow the last 2 hours. Here's what I got
on ports, services and service names:

7 echo -
9 discard sink null
13 daytime -
17 qotd Quote of the Day
19 chargen ttytst source Character Generator
21 ftp File Transfer [Control]
25 smtp Simple Mail Transfer
42 nameserver Host Name Server
53 domain Domain Name Server
80 http World Wide Web HTTP
88 kerberos-sec Kerberos (v5)
135 loc-srv NCS local location broker
139 netbios-ssn NETBIOS Session Service
389 ldap Lightweight Directory Access Protocol
464 kpasswd5 Kerberos (v5)
548 afpovertcp AFP over TCP
554 rtsp Real Time Stream Control Protocol
593 http-rpc-epmap HTTP RPC Ep Map
636 ldapssl LDAP over SSL
691 resvc The Microsoft Exchange 2000 Server Routing
Service
1026 nterm remote_login network_terminal
1353 relief Relief Consulting
1433 ms-sql-s Microsoft-SQL-Server
1471 csdmbase -
3389 msrdp Micro$oft Remote Display Protocol
6001 X11:1 X Window server
6002 X11:2 X Window server
6004 X11:4 X Window server
6106 isdninfo i4lmond
8080 http-proxy Common HTTP proxy/second web server port
8081 blackice-icecap ICECap user console
10000 snet-sensor-mgmt SecureNet Pro Sensor https management
server

Some of these look BAD. Any comments/recommendations?

That's not hugely different from normal. A quick look with nmap at
an SBS Standard shows mostly the same ports, though I wouldn't
really expect to see those below 21 on a Windows machine. Possibly
someone asked for the additional TCP/IP services on installation. I
wouldn't run any of those, even on a *nix machine.

Note that the service names are those known to your scanner which
most commonly use those ports, and do not necessarily have anything
to do with what is actually using them. X11 is, for example, the
older *nix GUI server, which is unlikely to be found on a Windows
machine. Unless Bill is a little more Open Source friendly than he
has us believe...

Open a command prompt and enter netstat -ab which will list the
executables using the ports. Clearly any malware will attempt to
disguise itself, but it can't use the same executable name as a
real Windows program, and a bit of Googling should identify any
unfamiliar names. You may find the list too long for your CLI box,
and it's easier to pipe it into a file for careful examination.

Also check the RAM usage. Contrary to opinions I have seen
expressed here, SBS is quite happy to thrash, using swap heavily
without any of the programs which have 'borrowed' lots of RAM for
disc caching being willing to return it. A few third-party programs
are alleged to have RAM leaks.
















.

Quantcast