Windows 2000 Server Hacked

We are running Win2K server.  Some body hacked into it and planted a file thats constantly scanning for random IP addresses.  I found out when our network got too slow.  By running network monitor it showed that all the requests are comming from the server and going to several hundered diffrerent IP address.  I have looked each and every service that is running under Taks manager but none of them is an illegal file. Can anyone tell me how to fnd that service or file thats is creating lots of traffic?  HELP!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Lee W, MVPTechnology and Business Process AdvisorCommented:
I think you have a virus - scan your system with an up-to-date antivirus.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
you can go to and run their free scan tool to see if a virus, as leew stated, might be on the box. I think Norton has such a free scan tool also.
Lee W, MVPTechnology and Business Process AdvisorCommented:
McAfee has a free tool, Stinger - for "one time" use (ie - it doesn't stay resident and block potential viruses but it scans for them whenever you run it).
Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

Lee W, MVPTechnology and Business Process AdvisorCommented:
Your described symptoms suggest Blaster, Welchia, or Nachi viruses - see
I would not try to track down the exact hacked file or whatever, unless you're doing it for forensic purposes related to your future criminal complaint. They don't call Windoze "DLL Hell" for nothing. You're never going to be sure that you found all compromised files.

I would detach the computer from your network (for all you know, it could be used to compromise other Windoze boxes on your network using the same hole that allowed this one to be compromised), back up any user data, and wipe it completely. Then reload the OS from scratch, and lock it down (as much as you can lock down a piece of swiss cheese link Windoze) and apply all the latest patches (the ones that don't break anything else or anything that you need to run, anyway) before you put it back on your network.

You also need to closely monitor the rest of the Windoze boxes on your network - if the compromised box is a typical box on your network, chances are it was not the only one compromised.

ctrl-alt-del and look in processes for anything funny... if nothing there check to see if theres a odd service installed
otherwise check in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

if its not found in any of those i would consider reinstalling the server
Security 101: Remove a compromised computer from the network and reload it from scratch. Its the only way to be sure. Anything short of that is the same sort of Mickey-Mouse half-arsed Redmond-thinking that got the computer compromised to begin with.
I would recommend running MSCONFIG, if it exists on Windows 2000 -- think it's an XP program -- and looking for any suspicious startup items.  If you don't have MSCONFIG, the next best bet would be HijackThis, which is a tiny little program you can use to check your Windows computers for suspicious things.  It provides a way of generating a list of ALL the auto-startup items that are loaded whenever you boot-up the computer.  This includes system services and hidden, not-too-common startup locations.

There is no reason to completely wipe out and re-install the system on the infected computer(s), unless you cannot find the problem using these resources I've provided!  Wipe and re-install should always be left as a last resort, if all else fails.

HijackThis can be found here:

What you're experiencing is very similar to another solution which I provided help on regarding checking the startup list.  The solution can be found here:

Below is a copy'n'paste of my answer in that solution, which includes a link to the best list of known legitimate programs and spyware that I have been given for my Technical Support job.  I highly recommend comparing the startup items from HijackThis to the list to help you find what's causing the excessive network usage.
Best place to look for information regarding possible Spyware infection is running MSCONFIG (click Start, choose Run and type MSCONFIG into the text box, then click OK), choosing the Startup tab and going through the list, comparing it to on-line lists of known legitimate software and spyware.

One such list, which is the best one I have been given, is
That's the intro/welcome/about page.  The actual list is

Once you've cleaned the systems, I highly recommend setting up a firewall for your network, either a standalone firewall to protect the entire network, or installing individual software firewalls onto each computer.  A properly configured firewall is the best first line of defence against spyware and remote take-over of your computers.  I have kept my own server system safe while online using only a software firewall for weeks before I finally installed a virus scanner to make sure the system was still clean, which it was.

Best of luck. :-)
zeeshan_aAuthor Commented:
OK..I found the problem.  I did a virus scan and it found one and deleted it succesfully.  But then I also found out that there is this file System.exe which was the source of the IP address scanning under C:\Program File\Common Files\System\Ole DB\Resources...there was a folder named 1274 created and contained four files: System.exe, Kill.exe, Hidden.exe, and Scan.txt.  I killed the system.exe process and deleted the whole 1274 folder.  And the whole network was calmed down.  But in about an hour again I felt the network was slow and looked at the same folder location and the damn folder was there again.  I killed the process again..but dont know if its gonna come back again or not...probably yes.  Dont know what to do at this point.. any suggestions!
Lee W, MVPTechnology and Business Process AdvisorCommented:
Scan all your systems.  If it's a virus, it replicates.  And use an up-to-date virus scanner and "shield" type program - this way any attempted reinfections will be blocked.  Each of the viruses I pointed out replicate by pinging the hell out of everything and when a response comes, it copies itself using known vulnerabilities to that system.  Thus you probably have several other systems with issues.  And of course, PATCH your system.
My recommendation would be to download and run HijackThis to look for Browser Hijacking, as well as generating a startup list with HijackThis that you can compare to the startup list I provided above ( site).  Likely you are deleting the offending program but still leaving some startup entry that recreates it.  Or, you have an unprotected network that has no firewall blocking the huge security holes Microsoft decided to leave open in Windows.  Windows XP Service Pack 2 enabled the Windows Firewall by default, finally providing some protection to Windows users.  Windows XP Service Pack 1 provides the Internet Connection Firewall, but users must go into their network connection properties and enable this themselves.  Windows 2000, however, has no included firewall of any type.  In this case, you would have to download and install a third-party software firewall, or setup a standalone system as a firewall (this could also be a network router with built-in firewall ability) to protect every computer on the network.  Open ports in Windows can be exploited!  By leaving them open, you're leaving your system and network open to repeated re-infection, time and time again.

Take my advice and you will have a happy network with protected network computers.
Shane Russell2nd Line Desktop SupportCommented:
Just search for a utility called "startup control panel" that way it saves you looking in to the msconfig, registry or any of that as it will show anything related to starting up with the computer.
dont forget to run windows  update, you need the latest patches or you can be infected again even after removing the virii
hi ,

The folder 1247 is a virus folder.U get this if any one try to see porn sites..............
Any have u can delete this folder permanently by doing this:

Go to safemode --> start --> run --> regedit--> This take u to the registry.

Out here press ctrl + F

give the foldername 1247 and search in the registry.

fress F3 for repeat search.

Delete all the entries in the registry along with the folder u saw earlier...........
While deleting the registr entries take care of the things............

press F5 to represh registry

One more IMP thing is that there might be some .EXE file in the windows folder or c:/windows/system32 folder which creats the 1247 directory............Pls find it

If any process like ADTD.exe is running then delete the process and the file too...................

Hope this info will help u....................

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Operating Systems

From novice to tech pro — start learning today.