Hacker has accessed server, unable to find resolution
Posted on 2005-04-19
Recently we have discovered a hacker has gained access to one of our Windows 2000 servers (SP4). The server is our Exchange server and our web hosting server (limited funds, do what we can).
By running SysInternals RootkitRevealer we are able to see that several hidden registry entries have been made. A couple of hidden files were also discovered.
The hidden entries:
We are receiving numerous Event ID 7011 for all Exchange related services and IIS service, eventually effectively stalling the services.
We have since closed off the server from the outside world (still allowing SMTP traffic in/out), but the internal damage is done.
Is there any tool/utility that will allow us to access the hidden registry keys and hidden files so that we can delete them?