Link to home
Start Free TrialLog in
Avatar of zeeshan_a
zeeshan_a

asked on

Windows 2000 Server Hacked

We are running Win2K server.  Some body hacked into it and planted a file thats constantly scanning for random IP addresses.  I found out when our network got too slow.  By running network monitor it showed that all the requests are comming from the server and going to several hundered diffrerent IP address.  I have looked each and every service that is running under Taks manager but none of them is an illegal file. Can anyone tell me how to fnd that service or file thats is creating lots of traffic?  HELP!
ASKER CERTIFIED SOLUTION
Avatar of Lee W, MVP
Lee W, MVP
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of TannerMan
TannerMan

you can go to www.antivirus.com and run their free scan tool to see if a virus, as leew stated, might be on the box. I think Norton has such a free scan tool also.
McAfee has a free tool, Stinger - for "one time" use (ie - it doesn't stay resident and block potential viruses but it scans for them whenever you run it).
Your described symptoms suggest Blaster, Welchia, or Nachi viruses - see http://www.cit.cornell.edu/computer/security/alerts/blaster.html
I would not try to track down the exact hacked file or whatever, unless you're doing it for forensic purposes related to your future criminal complaint. They don't call Windoze "DLL Hell" for nothing. You're never going to be sure that you found all compromised files.

I would detach the computer from your network (for all you know, it could be used to compromise other Windoze boxes on your network using the same hole that allowed this one to be compromised), back up any user data, and wipe it completely. Then reload the OS from scratch, and lock it down (as much as you can lock down a piece of swiss cheese link Windoze) and apply all the latest patches (the ones that don't break anything else or anything that you need to run, anyway) before you put it back on your network.

You also need to closely monitor the rest of the Windoze boxes on your network - if the compromised box is a typical box on your network, chances are it was not the only one compromised.

ctrl-alt-del and look in processes for anything funny... if nothing there check to see if theres a odd service installed
otherwise check in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

if its not found in any of those i would consider reinstalling the server
Security 101: Remove a compromised computer from the network and reload it from scratch. Its the only way to be sure. Anything short of that is the same sort of Mickey-Mouse half-arsed Redmond-thinking that got the computer compromised to begin with.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of zeeshan_a

ASKER

OK..I found the problem.  I did a virus scan and it found one and deleted it succesfully.  But then I also found out that there is this file System.exe which was the source of the IP address scanning under C:\Program File\Common Files\System\Ole DB\Resources...there was a folder named 1274 created and contained four files: System.exe, Kill.exe, Hidden.exe, and Scan.txt.  I killed the system.exe process and deleted the whole 1274 folder.  And the whole network was calmed down.  But in about an hour again I felt the network was slow and looked at the same folder location and the damn folder was there again.  I killed the process again..but dont know if its gonna come back again or not...probably yes.  Dont know what to do at this point.. any suggestions!
Scan all your systems.  If it's a virus, it replicates.  And use an up-to-date virus scanner and "shield" type program - this way any attempted reinfections will be blocked.  Each of the viruses I pointed out replicate by pinging the hell out of everything and when a response comes, it copies itself using known vulnerabilities to that system.  Thus you probably have several other systems with issues.  And of course, PATCH your system.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Just search for a utility called "startup control panel" that way it saves you looking in to the msconfig, registry or any of that as it will show anything related to starting up with the computer.
dont forget to run windows  update, you need the latest patches or you can be infected again even after removing the virii
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial