windows 2003 server hacked into... please assist


We have a dedicated server 2003 OS. Recently we found that there were tons of new folders which contained some hacked stuff. I dont know how they got to the folders in the first place. There are folders in the inetpub folders and outside it as well.

If we are a self managed server... do we need to do some settings to prevent such access to the hard disk over the net ?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

inetpub folder would suggest IIS is being used. The first thing to do is use the IIS Lockdown tool to stop everything you dont need in IIS.

The next would be to make sure that the server 03 has been patched with the latest updates available from

Do you have a firewall, make sure that all unessecary ports a blocked.

chops123Author Commented:
Dont have a firewall installed. Please suggest a good and cheap one if possible.
chops123Author Commented:
IIS lockdown isnt supported on IIS 6.0 on windows server 2003. .. doesnt work.
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

Yes, sorry, should have realised it was IIS 6,

I prefer to use Sygate

however most people would probably tell you to use Zone Alarm

Both are free for home use and and relativly cheap to buy for an organisation.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
I think First you should use ICF in windows 2003 if you don't like it use kerio it is free and you can manage it better than Zonealarm or sygate.
Chops123,  =)

I disagree with going with a software firewall only. I would suggest using a linksys hardware firewall or Dlink. This will help protect your network a lot better than a software firewall, cost you about 70 bucks. If you decided you really want a software firewall or just don't have the 70 bucks check out this free version of Sygate Personal, I don't recommend Zone Alarm or Kerio, here's a severe security flaw found in Kerio Personal Firewall:

Lets move on to see what damage has been done, so we can begin to patch and repair,

Detection / Prevention:

First, run a virus scan @
- Even if you already have virus protection. This will help identify any backdoors that might be in use to easily access your system. Most lilky they're just accessing through a specigic port via FTP, telnet and using your system to store illegal software.

Now, we want to see what ports you have open. So lets run some online port scans:
Sygate online port scan(s): I'd run the Quick Scan, Trojan Scan, TCP Scan(depending on results).

Now, I would go into IIS snapin and check the footer. See if anything there has been modified. There's a virus from a few months ago that took advantage of this to spread, as well as a new one released last week.

Please advise results of scan(s) & test(s) and advise for further instructions/suggestions.

Good Luck,

ok sounds like your server is pretty open and you need to re-evaluate your security. here is the basic guide from microsoft on what you can do. start off with the basics before you start to build an elaborate strategy. microsoft has a security baseline scanner that you can run on the machine to give you an idea of potential flaws. its not the greatest tool but its a start. iis 6 that comes with windows 2003 comes in a locked down state to iis lockdown and urlscan are not needed. some but some people still install urlscan as a way to prevent unauthorized url commands. i agree with others that a firewall is a must. you can use the windows firewall if you are strapped for cash but i would even just shell out for a simple linksys firewall you can configure to block all ports except 80/443. this will eliminate the potential avenues of hacking.

microsoft iss info:
sygate is free. Windows firewall will be bypassed with ease.
Jared LukerCommented:

I would recommend setting up a firewall with an old beater PC (an old pentium would do nicely), and IPCop.

You can use it along with 2 nics to set up a firewall with proven, stable linux based utilities.  Once you have it set up, anything that you need to configure can be done through IPCops web interface.

IPCop makes it pretty painless if you read the docs first.  If you have an old PC, this is the way to go (aka free)!  IPCop is free.

I would put a hardware firewall in place on the networks perimeter, and I would recommend a good one like a PIX.  If you only have a DSL connection or cable connection a Cisco 831 router with IOS Firewall woudl also work.  Whatever you choose take the time to set it up correctly and log its activities.  It is more than worth your time and money to do it the right way.  Also secure the server, if you don't need IIS don't install it.  Do your research and only run the services that you need.  Keep the server updated and keep an eye on the logs.
chops123Author Commented:
Thanks for those valuable comments... will revert back with the results to those suggestions

chops123Author Commented:
The following ports are being shown open on doing a trojan scan


TCP scan: ALmost all ports are open. I believe port 23 is for SSH which is probably more vulnerable as pointed out by the system.

Please comment
Why is port 6969 open?
the rest are common ports which if you do not use their service, you should close.
21: FTP
23: Telnet
25: SMTP
80: Internet
Chops, =)

Do you have an Ipod? If not, the port 6969 is definitly a trojan/backdoor.

Port 6969
    Netwin DSMTP v2.7q remote-root exploit by noir will leave a root shell at this port.

or could be:

I recommend running the trendmicro virus scan, also installing sygate atleast until you can buy a hardware firewall.

let me know details, I'll give more recommendations when I get off work.

good luck,

Also, found this at  read the part on remote exploiting.

Try to telnet to your webserves IP + port 6969  ex. telnet 6969   , this is good to see what that port is being used for, sometimes your see a hackers welcome screen or tag, which can help identify the exact exploit/backdoor in use.

IIS 6 is a lot more secure than IIS 5 and earlier versions. However, there are cross-site scripting exploits even for IIS6.

Regardless of how, your server is or was compromised and you havea vulnerable port open.

Please advise,

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.