Solved

my windows 2003  hacked

Posted on 2004-04-26
12
1,852 Views
Last Modified: 2011-09-20
i have windows 2003 standard server , but i have aproblem when i leave the pc on and return again to it , see that it seemed to be hacked , when i type netstat -n in command i see this :
             my pc                            foreign ips
 TCP    217.21.8.173:4862      217.21.8.131:139       ESTABLISHED
 TCP    217.21.8.173:4865      217.21.8.19:139        ESTABLISHED
 TCP    217.21.8.173:4866      217.21.8.48:135        ESTABLISHED
 TCP    217.21.8.173:4867      217.21.8.7:139         ESTABLISHED
 TCP    217.21.8.173:4869      217.21.8.133:135       ESTABLISHED
 TCP    217.21.8.173:4871      217.21.8.48:139        ESTABLISHED
 TCP    217.21.8.173:4873      217.21.8.133:135       ESTABLISHED
 TCP    217.21.8.173:4875      217.21.8.162:139       ESTABLISHED
 TCP    217.21.8.173:4877      217.21.8.41:139        ESTABLISHED
 TCP    217.21.8.173:4878      217.21.8.38:139        ESTABLISHED
 TCP    217.21.8.173:4879      217.21.8.162:445       ESTABLISHED
 TCP    217.21.8.173:4880      217.21.8.71:139        ESTABLISHED
 TCP    217.21.8.173:4883      217.21.8.133:139       ESTABLISHED
 TCP    217.21.8.173:4887      217.21.8.48:135        ESTABLISHED
 TCP    217.21.8.173:4893      217.21.8.172:139       ESTABLISHED
 TCP    217.21.8.173:4894      217.21.8.48:139        ESTABLISHED
 TCP    217.21.8.173:4897      217.21.8.73:135        ESTABLISHED
 TCP    217.21.8.173:4898      217.21.8.45:139        ESTABLISHED
 TCP    217.21.8.173:4900      217.21.8.74:139        ESTABLISHED
 TCP    217.21.8.173:4901      217.21.8.45:139        ESTABLISHED
 TCP    217.21.8.173:4902      217.21.8.46:139        ESTABLISHED
 TCP    217.21.8.173:4904      217.21.8.68:139        ESTABLISHED
 TCP    217.21.8.173:4907      217.21.8.51:139        ESTABLISHED
 TCP    217.21.8.173:4912      217.21.8.169:139       ESTABLISHED
 TCP    217.21.8.173:4913      217.21.8.63:135        ESTABLISHED
 TCP    217.21.8.173:4914      217.65.222.222:2745    SYN_SENT
 TCP    217.21.8.173:4921      217.21.8.63:139        ESTABLISHED
 TCP    217.21.8.173:4922      217.21.8.24:139        ESTABLISHED

and many lines like this , i have symantec antivirus updated , but i deont what is the probelm ? please help me
0
Comment
Question by:ahfaris
12 Comments
 
LVL 67

Expert Comment

by:sirbounty
ID: 10917598
What do you have for a firewall?  If nothing, you should certainly consider either a hardware or software variety (like Zone Alarm from www.zonelabs.com)

These links Check for Spyware:
  Spybot-S&D -->  http://www.safer-networking.org/
  HijackThis -->  http://www.spychecker.com/program/hijackthis.html
  Ad-Aware -->    http://www.netsecurity.about.com/library/blfreespyware.htm
  Web Shredder--> http://www.spywareinfo.com/~merijn/cwschronicles.html#cwshredder
  Pest Patrol --> http://www.pestpatrol.com/downloads/eval/download.asp
  PCHell removal->http://www.pchell.com/support/spyware.shtml

  Make sure that after downloading these, that you update them.  It helps to try at least two of these.
  If all else fails, download HijackThis and post the log that is generated after running it on your system.
0
 
LVL 3

Expert Comment

by:MikProg
ID: 10917815
You netstat log is a log of running server with attached users (if you run server attached to network. If you run server not attached to net i can't fugure out way to hack you server)
0
 

Expert Comment

by:pafeto
ID: 10918065
They are probably a log for active conections in your own network. Check the IP´s and you will see that they correspond to computers in your own network. I do not think you should be worried about it.
0
 
LVL 5

Expert Comment

by:Luniz2k1
ID: 10918279
TCP Ports 135/139/445 are all associated with File/Printer sharing.  If that PC has any drives or printers shared, or is connected to other PC's via file/printer shares, then you will see items like those in the netstat.
0
 
LVL 24

Expert Comment

by:SunBow
ID: 10918356
I think I agree that you are simply looking at your local LAN connections, check out the following and try to become familiar with them:

inetnum:      217.21.8.0 - 217.21.8.255
netname:      HISNET
descr:        Alhoda Internet Services
descr:        PIS POP KhanYounis Area
country:      PS
admin-c:      AA700-RIPE
tech-c:       WK4085-RIPE
status:       ASSIGNED PA
notify:       walid@p-i-s.com
mnt-by:       PIS-MNTNER
changed:      walid@p-i-s.com 20020308
source:       RIPE

route:        217.21.0.0/20
descr:        PIS-NET
origin:       AS16029
mnt-by:       PIS-MNTNER
changed:      walid@p-i-s.com 20040311
source:       RIPE

person:       Ahmed Al-Agha
address:      Alhoda Internet Services
address:      Khan-Younis - Gaza
address:      Palestine
e-mail:       agha@p-i-s.com
phone:        +972 8 2053341
notify:       walid@p-i-s.com
mnt-by:       PIS-MNTNER
nic-hdl:      AA700-RIPE
changed:      walid@p-i-s.com 20020227
source:       RIPE

person:       Walid Kassab
address:      Palestinian Internet Services
address:      P. O. BOX 5111 Gaza City, Palestine
phone:        +972 8 284 3197
fax-no:       +972 8 284 3187
e-mail:       walid@p-i-s.com
nic-hdl:      WK4085-RIPE
mnt-by:       PIS-MNTNER
changed:      walid@p-i-s.com 20020227
source:       RIPE
0
 
LVL 7

Expert Comment

by:shahrial
ID: 10919999
Normal connection except for port 2745...could be ... W32.Beagle.J@mm virus.
It may be compromised...see link for details.
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.j@mm.html

Corrective Action:
1.) Dowload the program below. After downloading these, update them.  Try it both.
- Spybot-Search & Destroy >  http://www.safer-networking.org/
- Lavasoft Ad-Aware 6 > http://www.netsecurity.about.com/library/blfreespyware.htm
Note: This will remove the spywares...

2.) Download the removal tool and run it on your server.
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle@mm.removal.tool.html
Update your antivirus and run a full system scan. (preferbly with the network cable detached).

Hope it helps...
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:ahfaris
ID: 10921140
i found that there is afile that is running in my pc its name is sysconf.exe , i think it is atrange file , after it , all connection to my pc was stoped except those that connect to port 135 on my pc , i tried to install zone alaram but it doesnot support win2003 , what can i do , i knew that it may be blaster worm but i have installed the patch for this worm before , what can i do to stop this problem
0
 
LVL 1

Accepted Solution

by:
emisery earned 500 total points
ID: 10921771
The sysconf.exe is a program name associated with the agobot worm and its variants.  Check out this link: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AGOBOT.HW
There are some solutions in there, but primarily for 2000/XP.  There are also links to Microsoft pages in there that describe the security exploits that the worm uses.  do you have your latest MS updates?  Might want to check their site for suggestions specific to win2003 in the event that the trendmicro site doesn't help.   Good luck!
0
 

Expert Comment

by:Hondy
ID: 10967092
You should really avoid posting your IP address as you are advertising a big hole in your server unless of course you disguised it ;)  - It may be fixed now but in future you should do a "find and replace" in WordPad or something and replace with XX's
0
 

Author Comment

by:ahfaris
ID: 10967746
ok thanks
0
 

Expert Comment

by:jhsmith67
ID: 11060187
Another useful tool (besides a firewall.....) is a program called spybot at http://www.safer-networking.org. They have been under attack lately from hackers so the website has been sporadic but you know it must be good if hackers are trying to stop it!!!

Regards,
Jeff
0
 

Expert Comment

by:jrleds2003
ID: 11078604
That comment on not posting your full iP that has been compromised is just plain good sense.  Be cautious people!  Most of us are here to help, but there are some people who are bored or just looking for easy targets.  Post wisely.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Introduction How to create multiboot configuration with XP\Vista and Windows 7 on it? And most important question - how to do this correctly so not to have any kind of nightmares we get when system gets screwed? First of all one should realize t…
Windows 7 does not have the best desktop search built in. This is something Windows 7 users have struggled with. You type something in, and your search results don’t always match what you are looking for, or it doesn’t actually work at all. There ar…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now