wvbeaner
asked on
recurring Event Log Errors after removing hacker from system
Hello, any help would be appreciated; I think the question may be quite difficult, but not urgent.
A few months ago my server was hacked, almost right after I took over the job of administering it. It is a remotely hosted system so only terminal server access, unless I want to bug one of our tech support guys to access the console, the server is locked up somewhere and I have no physical access to it.
I had to remove the hacks to the server rather forcefully as there were some hidden processes keeping an instance of FTP Serv-U active on the system and hidden; serving a hidden server linked to each of the recycle bins on the system. It seems that RAS might have been used to keep control of the system as well. I do not know how the system was compromised; but out ftp server is still being pinged by these guys.
Anyway, after removing all references to hacks in the registry and deleting the fake recycle bin links, the server has been experiencing consistent errors during startup. I will list them below. Any help in clearing up these errors would be a big help.
Server is running: Microsoft (R) Windows 2000 (R) 5.0 2195 Service Pack 4 Uniprocessor Free.
w3svc ID 105
The server was unable to register the administration tool discovery information. The administration tool may not be able to see this server. The data is the error code.
For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp.
Words: 0000: 000004c6
msftpsvc ID 105
The server was unable to register the administration tool discovery information. The administration tool may not be able to see this server. The data is the error code.
For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp.
words: 0000: 000004c6
Service Control Manager ID 7000
The Distributed File System service failed to start due to the following error:
The system cannot find the path specified.
Service Control Manager ID 7000
The Distributed Transaction Coordinator service failed to start due to the following error:
The system cannot find the path specified.
Security Log: There are a bunch of the 560 errors all seem to be the same.
Security: Object Access 560
Object Open:
Object Server: Security
Object Type: Mutant
Object Name: \BaseNamedObjects\RasPbFil e
New Handle ID: -
Operation ID: {0,15459507}
Process ID: 2868
Primary User Name: USERNAME$
Primary Domain: usernamegroupgrp
Primary Logon ID: (0x0,0x3E7)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
SYNCHRONIZE
Query mutant state
Privileges -
Application Log:
rasctrs 2001
The description for Event ID ( 2001 ) in Source ( rasctrs ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The event log file is corrupt..
MSSQLServer 19011
SuperSocket info: (SpnRegister) : Error 1355.
A few months ago my server was hacked, almost right after I took over the job of administering it. It is a remotely hosted system so only terminal server access, unless I want to bug one of our tech support guys to access the console, the server is locked up somewhere and I have no physical access to it.
I had to remove the hacks to the server rather forcefully as there were some hidden processes keeping an instance of FTP Serv-U active on the system and hidden; serving a hidden server linked to each of the recycle bins on the system. It seems that RAS might have been used to keep control of the system as well. I do not know how the system was compromised; but out ftp server is still being pinged by these guys.
Anyway, after removing all references to hacks in the registry and deleting the fake recycle bin links, the server has been experiencing consistent errors during startup. I will list them below. Any help in clearing up these errors would be a big help.
Server is running: Microsoft (R) Windows 2000 (R) 5.0 2195 Service Pack 4 Uniprocessor Free.
w3svc ID 105
The server was unable to register the administration tool discovery information. The administration tool may not be able to see this server. The data is the error code.
For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp.
Words: 0000: 000004c6
msftpsvc ID 105
The server was unable to register the administration tool discovery information. The administration tool may not be able to see this server. The data is the error code.
For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp.
words: 0000: 000004c6
Service Control Manager ID 7000
The Distributed File System service failed to start due to the following error:
The system cannot find the path specified.
Service Control Manager ID 7000
The Distributed Transaction Coordinator service failed to start due to the following error:
The system cannot find the path specified.
Security Log: There are a bunch of the 560 errors all seem to be the same.
Security: Object Access 560
Object Open:
Object Server: Security
Object Type: Mutant
Object Name: \BaseNamedObjects\RasPbFil
New Handle ID: -
Operation ID: {0,15459507}
Process ID: 2868
Primary User Name: USERNAME$
Primary Domain: usernamegroupgrp
Primary Logon ID: (0x0,0x3E7)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
SYNCHRONIZE
Query mutant state
Privileges -
Application Log:
rasctrs 2001
The description for Event ID ( 2001 ) in Source ( rasctrs ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The event log file is corrupt..
MSSQLServer 19011
SuperSocket info: (SpnRegister) : Error 1355.
ASKER
I will look into the re install of IIS, I am not sure what this would involve.
Here is the link to the log file:
http://www.hijackthis.de/logfiles/058b631d7a63d6200a809dfea3bad932.html
Here is the link to the log file:
http://www.hijackthis.de/logfiles/058b631d7a63d6200a809dfea3bad932.html
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
HiJackThis - http://www.spywareinfo.com/~merijn/downloads.html
create the log with HJT and post the log to the HJT LogAnalyzer - http://www.hijackthis.de/en
save the log and post the URL to it here...
also, might want to try reinstalling the IIS components, but that might need to be done by the guys with access to the console...