ahfaris
asked on
my windows 2003 hacked
i have windows 2003 standard server , but i have aproblem when i leave the pc on and return again to it , see that it seemed to be hacked , when i type netstat -n in command i see this :
my pc foreign ips
TCP 217.21.8.173:4862 217.21.8.131:139 ESTABLISHED
TCP 217.21.8.173:4865 217.21.8.19:139 ESTABLISHED
TCP 217.21.8.173:4866 217.21.8.48:135 ESTABLISHED
TCP 217.21.8.173:4867 217.21.8.7:139 ESTABLISHED
TCP 217.21.8.173:4869 217.21.8.133:135 ESTABLISHED
TCP 217.21.8.173:4871 217.21.8.48:139 ESTABLISHED
TCP 217.21.8.173:4873 217.21.8.133:135 ESTABLISHED
TCP 217.21.8.173:4875 217.21.8.162:139 ESTABLISHED
TCP 217.21.8.173:4877 217.21.8.41:139 ESTABLISHED
TCP 217.21.8.173:4878 217.21.8.38:139 ESTABLISHED
TCP 217.21.8.173:4879 217.21.8.162:445 ESTABLISHED
TCP 217.21.8.173:4880 217.21.8.71:139 ESTABLISHED
TCP 217.21.8.173:4883 217.21.8.133:139 ESTABLISHED
TCP 217.21.8.173:4887 217.21.8.48:135 ESTABLISHED
TCP 217.21.8.173:4893 217.21.8.172:139 ESTABLISHED
TCP 217.21.8.173:4894 217.21.8.48:139 ESTABLISHED
TCP 217.21.8.173:4897 217.21.8.73:135 ESTABLISHED
TCP 217.21.8.173:4898 217.21.8.45:139 ESTABLISHED
TCP 217.21.8.173:4900 217.21.8.74:139 ESTABLISHED
TCP 217.21.8.173:4901 217.21.8.45:139 ESTABLISHED
TCP 217.21.8.173:4902 217.21.8.46:139 ESTABLISHED
TCP 217.21.8.173:4904 217.21.8.68:139 ESTABLISHED
TCP 217.21.8.173:4907 217.21.8.51:139 ESTABLISHED
TCP 217.21.8.173:4912 217.21.8.169:139 ESTABLISHED
TCP 217.21.8.173:4913 217.21.8.63:135 ESTABLISHED
TCP 217.21.8.173:4914 217.65.222.222:2745 SYN_SENT
TCP 217.21.8.173:4921 217.21.8.63:139 ESTABLISHED
TCP 217.21.8.173:4922 217.21.8.24:139 ESTABLISHED
and many lines like this , i have symantec antivirus updated , but i deont what is the probelm ? please help me
my pc foreign ips
TCP 217.21.8.173:4862 217.21.8.131:139 ESTABLISHED
TCP 217.21.8.173:4865 217.21.8.19:139 ESTABLISHED
TCP 217.21.8.173:4866 217.21.8.48:135 ESTABLISHED
TCP 217.21.8.173:4867 217.21.8.7:139 ESTABLISHED
TCP 217.21.8.173:4869 217.21.8.133:135 ESTABLISHED
TCP 217.21.8.173:4871 217.21.8.48:139 ESTABLISHED
TCP 217.21.8.173:4873 217.21.8.133:135 ESTABLISHED
TCP 217.21.8.173:4875 217.21.8.162:139 ESTABLISHED
TCP 217.21.8.173:4877 217.21.8.41:139 ESTABLISHED
TCP 217.21.8.173:4878 217.21.8.38:139 ESTABLISHED
TCP 217.21.8.173:4879 217.21.8.162:445 ESTABLISHED
TCP 217.21.8.173:4880 217.21.8.71:139 ESTABLISHED
TCP 217.21.8.173:4883 217.21.8.133:139 ESTABLISHED
TCP 217.21.8.173:4887 217.21.8.48:135 ESTABLISHED
TCP 217.21.8.173:4893 217.21.8.172:139 ESTABLISHED
TCP 217.21.8.173:4894 217.21.8.48:139 ESTABLISHED
TCP 217.21.8.173:4897 217.21.8.73:135 ESTABLISHED
TCP 217.21.8.173:4898 217.21.8.45:139 ESTABLISHED
TCP 217.21.8.173:4900 217.21.8.74:139 ESTABLISHED
TCP 217.21.8.173:4901 217.21.8.45:139 ESTABLISHED
TCP 217.21.8.173:4902 217.21.8.46:139 ESTABLISHED
TCP 217.21.8.173:4904 217.21.8.68:139 ESTABLISHED
TCP 217.21.8.173:4907 217.21.8.51:139 ESTABLISHED
TCP 217.21.8.173:4912 217.21.8.169:139 ESTABLISHED
TCP 217.21.8.173:4913 217.21.8.63:135 ESTABLISHED
TCP 217.21.8.173:4914 217.65.222.222:2745 SYN_SENT
TCP 217.21.8.173:4921 217.21.8.63:139 ESTABLISHED
TCP 217.21.8.173:4922 217.21.8.24:139 ESTABLISHED
and many lines like this , i have symantec antivirus updated , but i deont what is the probelm ? please help me
You netstat log is a log of running server with attached users (if you run server attached to network. If you run server not attached to net i can't fugure out way to hack you server)
They are probably a log for active conections in your own network. Check the IP´s and you will see that they correspond to computers in your own network. I do not think you should be worried about it.
TCP Ports 135/139/445 are all associated with File/Printer sharing. If that PC has any drives or printers shared, or is connected to other PC's via file/printer shares, then you will see items like those in the netstat.
I think I agree that you are simply looking at your local LAN connections, check out the following and try to become familiar with them:
inetnum: 217.21.8.0 - 217.21.8.255
netname: HISNET
descr: Alhoda Internet Services
descr: PIS POP KhanYounis Area
country: PS
admin-c: AA700-RIPE
tech-c: WK4085-RIPE
status: ASSIGNED PA
notify: walid@p-i-s.com
mnt-by: PIS-MNTNER
changed: walid@p-i-s.com 20020308
source: RIPE
route: 217.21.0.0/20
descr: PIS-NET
origin: AS16029
mnt-by: PIS-MNTNER
changed: walid@p-i-s.com 20040311
source: RIPE
person: Ahmed Al-Agha
address: Alhoda Internet Services
address: Khan-Younis - Gaza
address: Palestine
e-mail: agha@p-i-s.com
phone: +972 8 2053341
notify: walid@p-i-s.com
mnt-by: PIS-MNTNER
nic-hdl: AA700-RIPE
changed: walid@p-i-s.com 20020227
source: RIPE
person: Walid Kassab
address: Palestinian Internet Services
address: P. O. BOX 5111 Gaza City, Palestine
phone: +972 8 284 3197
fax-no: +972 8 284 3187
e-mail: walid@p-i-s.com
nic-hdl: WK4085-RIPE
mnt-by: PIS-MNTNER
changed: walid@p-i-s.com 20020227
source: RIPE
inetnum: 217.21.8.0 - 217.21.8.255
netname: HISNET
descr: Alhoda Internet Services
descr: PIS POP KhanYounis Area
country: PS
admin-c: AA700-RIPE
tech-c: WK4085-RIPE
status: ASSIGNED PA
notify: walid@p-i-s.com
mnt-by: PIS-MNTNER
changed: walid@p-i-s.com 20020308
source: RIPE
route: 217.21.0.0/20
descr: PIS-NET
origin: AS16029
mnt-by: PIS-MNTNER
changed: walid@p-i-s.com 20040311
source: RIPE
person: Ahmed Al-Agha
address: Alhoda Internet Services
address: Khan-Younis - Gaza
address: Palestine
e-mail: agha@p-i-s.com
phone: +972 8 2053341
notify: walid@p-i-s.com
mnt-by: PIS-MNTNER
nic-hdl: AA700-RIPE
changed: walid@p-i-s.com 20020227
source: RIPE
person: Walid Kassab
address: Palestinian Internet Services
address: P. O. BOX 5111 Gaza City, Palestine
phone: +972 8 284 3197
fax-no: +972 8 284 3187
e-mail: walid@p-i-s.com
nic-hdl: WK4085-RIPE
mnt-by: PIS-MNTNER
changed: walid@p-i-s.com 20020227
source: RIPE
Normal connection except for port 2745...could be ... W32.Beagle.J@mm virus.
It may be compromised...see link for details.
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.j@mm.html
Corrective Action:
1.) Dowload the program below. After downloading these, update them. Try it both.
- Spybot-Search & Destroy > http://www.safer-networking.org/
- Lavasoft Ad-Aware 6 > http://www.netsecurity.about.com/library/blfreespyware.htm
Note: This will remove the spywares...
2.) Download the removal tool and run it on your server.
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle@mm.removal.tool.html
Update your antivirus and run a full system scan. (preferbly with the network cable detached).
Hope it helps...
It may be compromised...see link for details.
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.j@mm.html
Corrective Action:
1.) Dowload the program below. After downloading these, update them. Try it both.
- Spybot-Search & Destroy > http://www.safer-networking.org/
- Lavasoft Ad-Aware 6 > http://www.netsecurity.about.com/library/blfreespyware.htm
Note: This will remove the spywares...
2.) Download the removal tool and run it on your server.
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle@mm.removal.tool.html
Update your antivirus and run a full system scan. (preferbly with the network cable detached).
Hope it helps...
ASKER
i found that there is afile that is running in my pc its name is sysconf.exe , i think it is atrange file , after it , all connection to my pc was stoped except those that connect to port 135 on my pc , i tried to install zone alaram but it doesnot support win2003 , what can i do , i knew that it may be blaster worm but i have installed the patch for this worm before , what can i do to stop this problem
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You should really avoid posting your IP address as you are advertising a big hole in your server unless of course you disguised it ;) - It may be fixed now but in future you should do a "find and replace" in WordPad or something and replace with XX's
ASKER
ok thanks
Another useful tool (besides a firewall.....) is a program called spybot at http://www.safer-networking.org. They have been under attack lately from hackers so the website has been sporadic but you know it must be good if hackers are trying to stop it!!!
Regards,
Jeff
Regards,
Jeff
That comment on not posting your full iP that has been compromised is just plain good sense. Be cautious people! Most of us are here to help, but there are some people who are bored or just looking for easy targets. Post wisely.
These links Check for Spyware:
Spybot-S&D --> http://www.safer-networking.org/
HijackThis --> http://www.spychecker.com/program/hijackthis.html
Ad-Aware --> http://www.netsecurity.about.com/library/blfreespyware.htm
Web Shredder--> http://www.spywareinfo.com/~merijn/cwschronicles.html#cwshredder
Pest Patrol --> http://www.pestpatrol.com/downloads/eval/download.asp
PCHell removal->http://www.pchell.com/support/spyware.shtml
Make sure that after downloading these, that you update them. It helps to try at least two of these.
If all else fails, download HijackThis and post the log that is generated after running it on your system.