Hello all, I have terrible problems on my webserver/mail server.
At least once a week all my accounts are deleted on the machine (except the Admin) and new strange names are added (most recently 'test' and 'xdrs'). Occasionally I notice strange new files on the machine and usually attempts are made to restrict my own access. For example I can currently remote into the machine but I can't seem to connect over my network to any shared folders on the server. Usually the firewall is taken down too. Another stange symptom is that the keyboard attached to my server seems to have been overidden somehow. I cannot type 'administrator' as strange letters appear on the screen. The keyboard is still english but the keys seem to have been remapped!
I have taken a number of precautions that don't seem to have helped
- changing the admin password
- configuring the windows firewall so that only certain programs an get through
I desperately need some advice about how to kick these people off my machine, specifically...
- How can I reconfigure my server via remote desktop so that I can connect via my LAN again?
- How can I ensure that they don't get back onto my machine?
- can I track them down (perhaps via IP address) - is there a log somewhere?
- How can I remap my keyboard so that I can use the keyboard attached to my server?
I don't know if it's relevent but I did notice that my 'pfirewall.log' file had been backed up by someone or something at about the same time the hack occured. There is another file in C:Windows called pfirewall.log.old
Also I note that Adaware has just found a 'parasite' called 'RAdmin.w'. I'm reluctant to delete it in case it removes the remote desktop connection that is currently my only way to communicate with my server.
Also, adaware shows no signs of any problems.
Please help me, this is very frustrating and impacting my business.
Thanks!
Start Free Trial
