?
Solved

Windows 2000 Server Hacked

Posted on 2004-11-04
14
Medium Priority
?
307 Views
Last Modified: 2009-07-29
We are running Win2K server.  Some body hacked into it and planted a file thats constantly scanning for random IP addresses.  I found out when our network got too slow.  By running network monitor it showed that all the requests are comming from the server and going to several hundered diffrerent IP address.  I have looked each and every service that is running under Taks manager but none of them is an illegal file. Can anyone tell me how to fnd that service or file thats is creating lots of traffic?  HELP!
0
Comment
Question by:zeeshan_a
  • 4
  • 2
  • 2
  • +6
14 Comments
 
LVL 97

Accepted Solution

by:
Lee W, MVP earned 1050 total points
ID: 12495869
I think you have a virus - scan your system with an up-to-date antivirus.
0
 
LVL 9

Expert Comment

by:TannerMan
ID: 12495892
you can go to www.antivirus.com and run their free scan tool to see if a virus, as leew stated, might be on the box. I think Norton has such a free scan tool also.
0
 
LVL 97

Expert Comment

by:Lee W, MVP
ID: 12495921
McAfee has a free tool, Stinger - for "one time" use (ie - it doesn't stay resident and block potential viruses but it scans for them whenever you run it).
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 97

Expert Comment

by:Lee W, MVP
ID: 12495938
Your described symptoms suggest Blaster, Welchia, or Nachi viruses - see http://www.cit.cornell.edu/computer/security/alerts/blaster.html
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 12496030
I would not try to track down the exact hacked file or whatever, unless you're doing it for forensic purposes related to your future criminal complaint. They don't call Windoze "DLL Hell" for nothing. You're never going to be sure that you found all compromised files.

I would detach the computer from your network (for all you know, it could be used to compromise other Windoze boxes on your network using the same hole that allowed this one to be compromised), back up any user data, and wipe it completely. Then reload the OS from scratch, and lock it down (as much as you can lock down a piece of swiss cheese link Windoze) and apply all the latest patches (the ones that don't break anything else or anything that you need to run, anyway) before you put it back on your network.

You also need to closely monitor the rest of the Windoze boxes on your network - if the compromised box is a typical box on your network, chances are it was not the only one compromised.
0
 
LVL 8

Expert Comment

by:ViRoy
ID: 12496626

ctrl-alt-del and look in processes for anything funny... if nothing there check to see if theres a odd service installed
otherwise check in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

if its not found in any of those i would consider reinstalling the server
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 12496888
Security 101: Remove a compromised computer from the network and reload it from scratch. Its the only way to be sure. Anything short of that is the same sort of Mickey-Mouse half-arsed Redmond-thinking that got the computer compromised to begin with.
0
 
LVL 1

Assisted Solution

by:TheDefiant
TheDefiant earned 300 total points
ID: 12497037
I would recommend running MSCONFIG, if it exists on Windows 2000 -- think it's an XP program -- and looking for any suspicious startup items.  If you don't have MSCONFIG, the next best bet would be HijackThis, which is a tiny little program you can use to check your Windows computers for suspicious things.  It provides a way of generating a list of ALL the auto-startup items that are loaded whenever you boot-up the computer.  This includes system services and hidden, not-too-common startup locations.

There is no reason to completely wipe out and re-install the system on the infected computer(s), unless you cannot find the problem using these resources I've provided!  Wipe and re-install should always be left as a last resort, if all else fails.

HijackThis can be found here: http://www.spychecker.com/program/hijackthis.html

What you're experiencing is very similar to another solution which I provided help on regarding checking the startup list.  The solution can be found here: http://www.experts-exchange.com/Operating_Systems/Q_21193461.html

Below is a copy'n'paste of my answer in that solution, which includes a link to the best list of known legitimate programs and spyware that I have been given for my Technical Support job.  I highly recommend comparing the startup items from HijackThis to the list to help you find what's causing the excessive network usage.
------------------------
Best place to look for information regarding possible Spyware infection is running MSCONFIG (click Start, choose Run and type MSCONFIG into the text box, then click OK), choosing the Startup tab and going through the list, comparing it to on-line lists of known legitimate software and spyware.

One such list, which is the best one I have been given, is http://www.sysinfo.org/startupinfo.html
That's the intro/welcome/about page.  The actual list is http://www.sysinfo.org/startuplist.php
-------------------------

Once you've cleaned the systems, I highly recommend setting up a firewall for your network, either a standalone firewall to protect the entire network, or installing individual software firewalls onto each computer.  A properly configured firewall is the best first line of defence against spyware and remote take-over of your computers.  I have kept my own server system safe while online using only a software firewall for weeks before I finally installed a virus scanner to make sure the system was still clean, which it was.

Best of luck. :-)
0
 

Author Comment

by:zeeshan_a
ID: 12498573
OK..I found the problem.  I did a virus scan and it found one and deleted it succesfully.  But then I also found out that there is this file System.exe which was the source of the IP address scanning under C:\Program File\Common Files\System\Ole DB\Resources...there was a folder named 1274 created and contained four files: System.exe, Kill.exe, Hidden.exe, and Scan.txt.  I killed the system.exe process and deleted the whole 1274 folder.  And the whole network was calmed down.  But in about an hour again I felt the network was slow and looked at the same folder location and the damn folder was there again.  I killed the process again..but dont know if its gonna come back again or not...probably yes.  Dont know what to do at this point.. any suggestions!
0
 
LVL 97

Expert Comment

by:Lee W, MVP
ID: 12499162
Scan all your systems.  If it's a virus, it replicates.  And use an up-to-date virus scanner and "shield" type program - this way any attempted reinfections will be blocked.  Each of the viruses I pointed out replicate by pinging the hell out of everything and when a response comes, it copies itself using known vulnerabilities to that system.  Thus you probably have several other systems with issues.  And of course, PATCH your system.
0
 
LVL 1

Assisted Solution

by:TheDefiant
TheDefiant earned 300 total points
ID: 12499213
My recommendation would be to download and run HijackThis to look for Browser Hijacking, as well as generating a startup list with HijackThis that you can compare to the startup list I provided above (sysinfo.org site).  Likely you are deleting the offending program but still leaving some startup entry that recreates it.  Or, you have an unprotected network that has no firewall blocking the huge security holes Microsoft decided to leave open in Windows.  Windows XP Service Pack 2 enabled the Windows Firewall by default, finally providing some protection to Windows users.  Windows XP Service Pack 1 provides the Internet Connection Firewall, but users must go into their network connection properties and enable this themselves.  Windows 2000, however, has no included firewall of any type.  In this case, you would have to download and install a third-party software firewall, or setup a standalone system as a firewall (this could also be a network router with built-in firewall ability) to protect every computer on the network.  Open ports in Windows can be exploited!  By leaving them open, you're leaving your system and network open to repeated re-infection, time and time again.

Take my advice and you will have a happy network with protected network computers.
0
 
LVL 23

Expert Comment

by:gecko_au2003
ID: 12500039
Just search for a utility called "startup control panel" that way it saves you looking in to the msconfig, registry or any of that as it will show anything related to starting up with the computer.
0
 
LVL 5

Expert Comment

by:jjk16
ID: 12502592
dont forget to run windows  update, you need the latest patches or you can be infected again even after removing the virii
0
 
LVL 4

Assisted Solution

by:thribhu
thribhu earned 150 total points
ID: 12506616
hi ,

The folder 1247 is a virus folder.U get this if any one try to see porn sites..............
Any have u can delete this folder permanently by doing this:

Go to safemode --> start --> run --> regedit--> This take u to the registry.

Out here press ctrl + F

give the foldername 1247 and search in the registry.

fress F3 for repeat search.

Delete all the entries in the registry along with the folder u saw earlier...........
While deleting the registr entries take care of the things............

press F5 to represh registry

One more IMP thing is that there might be some .EXE file in the windows folder or c:/windows/system32 folder which creats the 1247 directory............Pls find it

If any process like ADTD.exe is running then delete the process and the file too...................


Hope this info will help u....................



0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello I read in a discussion about a person who configured a very simple mirror RAID with two hard drives; the system and data were on the same partition. He asked how to repair the system as it was not booting up anymore. In his case running …
I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question