I have a windows web 2003 server that serves up a few web sites at a co-lo facility. It is behind a simple NAT router. Several network services are now blocked from the local machine. Here is what I still can do:
1. Web sites on port 80 are still accessible from outside the firewall.
2. Web sites that use SQL Server 2005 as its database are okay.
3. I can ping anywhere - behind or outside firewall is fine.
Here is what all of a sudden I cannot do:
1. Any web site that is accessible externally (from net) just gives me "page cannot be displayed" when trying to access it from the server itself. Ie.
http://127.0.0.12. Accessing MySQL administrator on localhost port 3306 no longer works.
3. Any web site that uses MySQL as its database does not work anymore.
4. I have OpenSSH server installed. That no longer works inside or outside the firewall.
Here is the evidence that may be revealing:
1. I do not run a DNS server on this box. However I have an event log entry that says "Dns service entered a running state." Then a few seconds later "Dns service terminated unexpectedly".
2. Microsoft's Root Kit Revealer shows two things that are a little suspect.
A. A Hidden from API entry at HKLM\SYSTEM\ControlSet001\
Services\D
nsSvr
B. A file located here which was just modified yesterday. I know I didn't touch this file:
c:\Program Files\Common Files\System\setup.msi
3. I typically do not have FTP service running. But I tried to start it and received "FTP service cannot start due to low storage space" (not exact wording). - I have 124GB left on the drive. Maybe I've been hacked and someone has put hidden files on here?
4. I have the Windows firewall turned off.
5. I don't think the firewall/router is the problem since even connecting to
http://localhost doesn't work.
6. I have nothing like Norton Internet Security or Antivirus software loaded.
Any ideas. I want to be sure I've been hacked before formatting the HD. Can I somehow search for hidden files that the hacker may have put on the system?
Start Free Trial
