Win 2k server hacked?

Posted on 2003-02-18
Medium Priority
Last Modified: 2013-12-04
Hello all,
In the past 2 weeks I have had 3 different customers call me with "server problems". All were running win 2k server and all had very little security in place (security as in firewall, a/v software). On all 3 occassions the admin account password was no longer valid and on all 3 occassions when I arrived on the scene I seen a mirc program running....appeared to be a chatroom but didnt see anyone typeing.

I have searched around for possible virus or trojans but I havent seen anything that sounds like these problems.

Any help would be greatly appreciated.

Question by:Juice192
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Accepted Solution

venyon earned 300 total points
ID: 7979687
mIRC on servers? That sounds a little fishy. My guess would be that those systems have been infected with mIRC worms or trojans.

An immediate suspect would be the ocxdll.exe ( see http://www.astalavista.com/trojans/library/trojans/analysis/mirc_trojan_analysis.shtml ), but it could be one of the many others. If it is a trojan, then it's very possible that the intruder has already hacked/modified the account passwords.


Expert Comment

ID: 7979835
You should remove the MIRC from the server and change all the admin passord to new password if you can. Btw, you did said that the admin password is no longer valid, so you must be accessing the server using another account, so you need to find a way to change the admin password.

Expert Comment

ID: 7981455
To avoid keyloggers you may want to reset the admin with a boot floopy, extra paranoia at work :) This util is good, but use at your own risk: http://home.eunet.no/~pnordahl/ntpasswd/

I would also try to get the trial version of TDS if I were you: http://www.diamondcs.com.au/?hop=tamesnet.diamondcs
What version ofmIRC was it? 5.91 or earlier? How did mIRC get there? is that something you folks have, or people there use? If not, then you need to find out how it got there. Virus Scanner's have an"Excluded" file and floder list that you can add and subtract too, the recycle bin is normally a good place to hide a trojan, since most viri scanner's don't scann that by default. TDS will tell you if you have something, it's very good, and a virus scanner properly configured and updated can tell you too.

Expert Comment

ID: 7981860
Some other tools you might want to use to dig deeper are Netstat, Fport and Pslist.

Netstat comes with your OS, but Fport and Pslist are freeware programs that you can get from sysinternals (A Google search will lead you to 'em).

Netstat will show you the ports opened on your system. Fport will map those ports back to the programs that opened them. Pslist will list all the running processes on the system.  

The best time to use these programs is before you turn off the computer or any of the "trojans" (they need to be running in order to track 'em). You should pipe the output from those tools to a floppy for later viewing and then shutdown the system.

Good Luck :-)

Author Comment

ID: 7984450
Thanks for that link (very informative), its sounds pretty identical to what I have been running into (kinda odd that I had 3 in such a short period of time).
  I cannot 100% verify that this was indeed the problem I was seeing (servers were all wiped) but that link sure looked very similar to what was going on.

Thanks to all that posted,

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
OfficeMate Freezes on login or does not load after login credentials are input.
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses
Course of the Month13 days, 10 hours left to enroll

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question