Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

hacked by someone.....

Posted on 2005-04-27
6
Medium Priority
?
270 Views
Last Modified: 2013-12-04
Dear all,

I find that my Windows 2000 SP4, with Terminal Service is hacked by someone. The hacking who did is installed QQ, and created two user account with $ sign at the end, i.e : abcd$

And there have some files in the Administrator Desktop, e.g. r_server.exe, windowsattack.exe ...etc.

The server I installed SQL2000 & Terminal Service, I have to granted the port 1433 & 3389 to open to public.

How can I fix this problem? I've try to run fresh installation of Windows 2000, but the server attack again within 24 hrs...

Please Help!

Thanks!
0
Comment
Question by:efkw
5 Comments
 
LVL 12

Expert Comment

by:rossfingal
ID: 13875341
Hi!

Try running these - they might show you what's hiding:
Rootkit Revealer
http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml

F-Secure Blacklight Rootkit revealer
http://www.f-secure.com/blacklight

RF
0
 
LVL 16

Expert Comment

by:JammyPak
ID: 13877006
first of all, take the server off your network immediately - and isolate it.
next, close the open firewall ports to this server before you completely wipe and reinstall the machine.

this is assuming that you really don't care who hacked you or why...they probably were just network scanning and found you

if you wanted to do a forensic analysis, then you need to shutdown the server and call in an expert in the field, or notify law enforcement
0
 
LVL 32

Expert Comment

by:r-k
ID: 13882911
>I've try to run fresh installation of Windows 2000, but the server attack again within 24 hrs...

Well, you probably want to be off the network, do a clean install, then install all updates, only then reconnect to the network.

Also, as suggested above, if it's a rootkit then may have to reformat before installing.
0
 

Author Comment

by:efkw
ID: 14586615
Final result.

The hacker is come from China. I have found what hacking tools is he using to hack my Server. And about the MS windows update, it have not included the patch for lsass... he used the tools thru. lsass to attack my Server, then make it buffer overflow and then open telnet port.

After telnet is opened, he create account and set it under administrators group. Then using RDP to connect in..., and place/delete file/install QQ... etc...
0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 14617370
Closed, 290 points refunded.
modulo
Community Support Moderator
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
How can you see what you are working on when you want to see it while you to save a copy? Add a "Save As" icon to the Quick Access Toolbar, or QAT. That way, when you save a copy of a query, form, report, or other object you are modifying, you…
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question