Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Win 2k server hacked?

Posted on 2003-02-18
Medium Priority
Last Modified: 2013-12-04
Hello all,
In the past 2 weeks I have had 3 different customers call me with "server problems". All were running win 2k server and all had very little security in place (security as in firewall, a/v software). On all 3 occassions the admin account password was no longer valid and on all 3 occassions when I arrived on the scene I seen a mirc program running....appeared to be a chatroom but didnt see anyone typeing.

I have searched around for possible virus or trojans but I havent seen anything that sounds like these problems.

Any help would be greatly appreciated.

Question by:Juice192

Accepted Solution

venyon earned 300 total points
ID: 7979687
mIRC on servers? That sounds a little fishy. My guess would be that those systems have been infected with mIRC worms or trojans.

An immediate suspect would be the ocxdll.exe ( see http://www.astalavista.com/trojans/library/trojans/analysis/mirc_trojan_analysis.shtml ), but it could be one of the many others. If it is a trojan, then it's very possible that the intruder has already hacked/modified the account passwords.


Expert Comment

ID: 7979835
You should remove the MIRC from the server and change all the admin passord to new password if you can. Btw, you did said that the admin password is no longer valid, so you must be accessing the server using another account, so you need to find a way to change the admin password.

Expert Comment

ID: 7981455
To avoid keyloggers you may want to reset the admin with a boot floopy, extra paranoia at work :) This util is good, but use at your own risk: http://home.eunet.no/~pnordahl/ntpasswd/

I would also try to get the trial version of TDS if I were you: http://www.diamondcs.com.au/?hop=tamesnet.diamondcs
What version ofmIRC was it? 5.91 or earlier? How did mIRC get there? is that something you folks have, or people there use? If not, then you need to find out how it got there. Virus Scanner's have an"Excluded" file and floder list that you can add and subtract too, the recycle bin is normally a good place to hide a trojan, since most viri scanner's don't scann that by default. TDS will tell you if you have something, it's very good, and a virus scanner properly configured and updated can tell you too.

Expert Comment

ID: 7981860
Some other tools you might want to use to dig deeper are Netstat, Fport and Pslist.

Netstat comes with your OS, but Fport and Pslist are freeware programs that you can get from sysinternals (A Google search will lead you to 'em).

Netstat will show you the ports opened on your system. Fport will map those ports back to the programs that opened them. Pslist will list all the running processes on the system.  

The best time to use these programs is before you turn off the computer or any of the "trojans" (they need to be running in order to track 'em). You should pipe the output from those tools to a floppy for later viewing and then shutdown the system.

Good Luck :-)

Author Comment

ID: 7984450
Thanks for that link (very informative), its sounds pretty identical to what I have been running into (kinda odd that I had 3 in such a short period of time).
  I cannot 100% verify that this was indeed the problem I was seeing (servers were all wiped) but that link sure looked very similar to what was going on.

Thanks to all that posted,

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…
Kernel Data Recovery is a renowned Data Recovery solution provider which offers wide range of softwares for both enterprise and home users with its cost-effective solutions. Let's have a quick overview of the journey and data recovery tools range he…
Suggested Courses

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question