hacked by someone.....

Posted on 2005-04-27
Last Modified: 2013-12-04
Dear all,

I find that my Windows 2000 SP4, with Terminal Service is hacked by someone. The hacking who did is installed QQ, and created two user account with $ sign at the end, i.e : abcd$

And there have some files in the Administrator Desktop, e.g. r_server.exe, windowsattack.exe ...etc.

The server I installed SQL2000 & Terminal Service, I have to granted the port 1433 & 3389 to open to public.

How can I fix this problem? I've try to run fresh installation of Windows 2000, but the server attack again within 24 hrs...

Please Help!

Question by:efkw
    LVL 12

    Expert Comment


    Try running these - they might show you what's hiding:
    Rootkit Revealer

    F-Secure Blacklight Rootkit revealer

    LVL 16

    Expert Comment

    first of all, take the server off your network immediately - and isolate it.
    next, close the open firewall ports to this server before you completely wipe and reinstall the machine.

    this is assuming that you really don't care who hacked you or why...they probably were just network scanning and found you

    if you wanted to do a forensic analysis, then you need to shutdown the server and call in an expert in the field, or notify law enforcement
    LVL 32

    Expert Comment

    >I've try to run fresh installation of Windows 2000, but the server attack again within 24 hrs...

    Well, you probably want to be off the network, do a clean install, then install all updates, only then reconnect to the network.

    Also, as suggested above, if it's a rootkit then may have to reformat before installing.

    Author Comment

    Final result.

    The hacker is come from China. I have found what hacking tools is he using to hack my Server. And about the MS windows update, it have not included the patch for lsass... he used the tools thru. lsass to attack my Server, then make it buffer overflow and then open telnet port.

    After telnet is opened, he create account and set it under administrators group. Then using RDP to connect in..., and place/delete file/install QQ... etc...

    Accepted Solution

    Closed, 290 points refunded.
    Community Support Moderator

    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    Join & Write a Comment

    In a recent article here at Experts Exchange (, I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
    Article by: btan
    The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now