?
Solved

recurring Event Log Errors after removing hacker from system

Posted on 2005-04-28
4
Medium Priority
?
1,976 Views
Last Modified: 2013-12-04
Hello, any help would be appreciated; I think the question may be quite difficult, but not urgent.

A few months ago my server was hacked, almost right after I took over the job of administering it.  It is a remotely hosted system so only terminal server access, unless I want to bug one of our tech support guys to access the console, the server is locked up somewhere and I have no physical access to it.  

I had to remove the hacks to the server rather forcefully as there were some hidden processes keeping an instance of FTP Serv-U active on the system and hidden; serving a hidden server linked to each of the recycle bins on the system.  It seems that RAS might have been used to keep control of the system as well.  I do not know how the system was compromised; but out ftp server is still being pinged by these guys.  

Anyway, after removing all references to hacks in the registry and deleting the fake recycle bin links, the server has been experiencing consistent errors during startup.  I will list them below.  Any help in clearing up these errors would be a big help.  

Server is running:    Microsoft (R) Windows 2000 (R) 5.0 2195 Service Pack 4 Uniprocessor Free.


w3svc    ID 105

The server was unable to register the administration tool discovery information.  The administration tool may not be able to see this server.  The data is the error code.
For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp.

Words:  0000: 000004c6


msftpsvc    ID  105

The server was unable to register the administration tool discovery information.  The administration tool may not be able to see this server.  The data is the error code.
For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp.

words:  0000: 000004c6



Service Control Manager  ID  7000


The Distributed File System service failed to start due to the following error:
The system cannot find the path specified.  


Service Control Manager   ID   7000

The Distributed Transaction Coordinator service failed to start due to the following error:
The system cannot find the path specified.  



Security Log:  There are a bunch of the 560 errors all seem to be the same.

Security:  Object Access  560


Object Open:
       Object Server:      Security
       Object Type:      Mutant
       Object Name:      \BaseNamedObjects\RasPbFile
       New Handle ID:      -
       Operation ID:      {0,15459507}
       Process ID:      2868
       Primary User Name:      USERNAME$
       Primary Domain:      usernamegroupgrp
       Primary Logon ID:      (0x0,0x3E7)
       Client User Name:      -
       Client Domain:      -
       Client Logon ID:      -
       Accesses            DELETE
                  READ_CONTROL
                  WRITE_DAC
                  WRITE_OWNER
                  SYNCHRONIZE
                  Query mutant state
                  
       Privileges            -


Application Log:      

rasctrs              2001

The description for Event ID ( 2001 ) in Source ( rasctrs ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The event log file is corrupt..


MSSQLServer    19011

SuperSocket info: (SpnRegister) : Error 1355.
0
Comment
Question by:wvbeaner
  • 2
4 Comments
 
LVL 8

Expert Comment

by:RevelationCS
ID: 13888951
sounds like your installations of IIS components might be corrupted... might want to try the following:

HiJackThis - http://www.spywareinfo.com/~merijn/downloads.html
create the log with HJT and post the log to the HJT LogAnalyzer - http://www.hijackthis.de/en
save the log and post the URL to it here...

also, might want to try reinstalling the IIS components, but that might need to be done by the guys with access to the console...
0
 

Author Comment

by:wvbeaner
ID: 13894064
I will look into the re install of IIS, I am not sure what this would involve.

Here is the link to the log file:

http://www.hijackthis.de/logfiles/058b631d7a63d6200a809dfea3bad932.html

0
 
LVL 8

Accepted Solution

by:
RevelationCS earned 1200 total points
ID: 13894295
may want to take a look at the item that was listed as "Possibly Nasty" in the log... one other potential for the increase in traffic is the SMTP product that is installed.. you might see some hits to your server that you were not expecting to see... best guess based on what I see is that your system is clean from that prospective so I would recommend reinstalling IIS... to do this, go to <Control Panel> and select <Add/Remove Programs> then <Windows Components>. Browse through the list and look for the IIS Components (Web Server, FTP server, etc that are installed), make a note as to which are installed, then uninstall them... you will probably have to reboot the machine when done with this, but once they are uninstalled, go back and follow the same steps as above, but reinstall those same components again....

I notice you have livestats running, which should require a webserver to be installed... don't know about the IMAIL product, but that might require the same also...
0
 
LVL 8

Assisted Solution

by:anil_u
anil_u earned 300 total points
ID: 13900384
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Screencast - Getting to Know the Pipeline
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses
Course of the Month13 days, 20 hours left to enroll

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question