Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 300
  • Last Modified:

Hacker has accessed server, unable to find resolution

Recently we have discovered a hacker has gained access to one of our Windows 2000 servers (SP4).  The server is our Exchange server and our web hosting server (limited funds, do what we can).

By running SysInternals RootkitRevealer we are able to see that several hidden registry entries have been made.  A couple of hidden files were also discovered.

The hidden entries:
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\MSDSA
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\MSDSA
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSDSA
HKLM\SYSTEM\ControlSet001\Services\MSDSA
HKLM\SYSTEM\ControlSet001\Servicesl\MSDSADRV
HKLM\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\MSDSA
HKLM\SYSTEM\ControlSet002\Control\SafeBoot\Network\MSDSA
HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_MSDSA
HKLM\SYSTEM\ControlSet002\Services\MSDSA
HKLM\SYSTEM\ControlSet002\Servicesl\MSDSADRV

C:\WINNT\system32\msdfm.exe
C:\WINNT\system32\msdsa.exe
C:\WINNT\system32\msgate\msgate.exe

We are receiving numerous Event ID 7011 for all Exchange related services and IIS service, eventually effectively stalling the services.

We have since closed off the server from the outside world (still allowing SMTP traffic in/out), but the internal damage is done.

Is there any tool/utility that will allow us to access the hidden registry keys and hidden files so that we can delete them?
0
jhinson
Asked:
jhinson
1 Solution
 
JammyPakCommented:
Hidden files? Turn off 'hide protected operating system files' and turn on 'show hidden files' in folder option. There's not much more to that one...
As for the registry, run regedt32, and use the security menu to give yourself at least read (or Full control) to the whole registry.

Ps. I would NOT try to salvage this machine. Take yourself offline, backup all mail, and reinstall a brand new box. Your chances of completely cleaning this system are slim-to-none.
0
 
jhinsonAuthor Commented:
JammyPak,
Have already done all you suggested, no luck.

Will be installing new machine this weekend but am trying to survive until then.
0
 
nedvisCommented:
You might like to try this tool whith wich you can delete ( rename or move) files that are used by operating system
and cannot be easily deleted :
http://www.thescarms.com/vbasic/FilesInUse.asp
----------------------------------------------------------
You can  also manually remove hidden Windows registry entries with pointers to executable files ( msdfm.exe, msdsa.exe and msgate.exe )
----------------------------------------------------------
msgate.exe
W32/Sdbot-OK is a worm which attempts to spread to remote network shares.
http://www.greatis.com/appdata/d/m/msgate.exe_Removal.htm
_________________________________________
Troj/Multidr-Y
Summary:
http://www.sophos.com/virusinfo/analyses/trojmultidry.html
"Troj/Multidr-Y drops and executes W32/Sdbot-BK as runme.exe and Troj/HacDef-I
as msdsa.exe in the Windows system folder.
The Trojan also drops the following file in the Windows system folder:
admdll.dll - a non-malicious DLL plugin for a remote administration tool
go.bat - an innocuous BAT file
hexec.exe - a legitimate utility called HideWindow
msdfm.exe - a non-malicious remote administration tool
raddrv.dll - a non-malicious DLL plugin for a remote administration tool
msdsa.ini - a configuration file for msdsa.exe  "
__________________________________________

http://www.ccleaner.com  ( general purpose hard-disk cleaner)
------------------------------------------------------------
good luck
nedvis
0
 
rossfingalCommented:
Hi!

Try running "Supershell" (free):
http://p-nand-q.com/download/supershell.html

RF
0
 
davidis99Commented:
If this trojan has launched itself as a process which cannot be killed normally through task manager, preventing you from deleting the associated .exe and .dll files, you may want to try downloading taskman+ from

http://www.diamondcs.com.au/index.php?page=products

to see if it can kill the trojan process.  Once killed, you should be able to delete the .exe and.dll files, then delete the associated regkeys.
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now