• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3579
  • Last Modified:

Windows 2003 Server hacked. How did they do it? How to fix?

Someone is in my Windows 2003 Server.   It looks like they've uploaded about 20G of music files.  There are folders like Drum & Bass, Techno, Hip-Hop, Acid from the root directory.

Any idea how they got in, and how fix this?  


My HijackThis log is below:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:10:23 AM, on 7/20/2007
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
Boot mode: Normal

Running processes:
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\IIS Resources\DebugDiag\DbgSVC.Exe
C:\Program Files\SWsoft\Plesk\DrWeb\drwebcom.exe
C:\Program Files\SWsoft\Plesk\kav\kavsvc.exe
C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\BIN\MELSC.EXE
C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\BIN\MEMTA.EXE
C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\BIN\MEPOC.EXE
C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\BIN\MEPOPS.EXE
C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\BIN\MESMTPC.EXE
C:\Program Files\SWsoft\Plesk\Databases\MSDE\MSSQL\Binn\sqlservr.exe
C:\Program Files\SWsoft\Plesk\Databases\MySQL\bin\mysqld-nt.exe
C:\Program Files\SWsoft\Plesk\dns\bin\named.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Persits Software\AspEmail\BIN\EmailAgent.exe
C:\Program Files\SWsoft\Plesk\MySQL\bin\mysqld-nt.exe
C:\Program Files\SWsoft\Plesk\admin\bin\plesksrv.exe
C:\Program Files\SWsoft\Plesk\Additional\Tomcat\bin\tomcat5.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\SWsoft\Plesk\admin\bin\PopPassD.exe
C:\Program Files\SWsoft\Plesk\admin\bin\Apache.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\SWsoft\Plesk\admin\bin\traymonitor.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Documents and Settings\rlsorrells\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://xxx-xxx-xx-xx:9370/fpadmdll.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2099054881-618549740-4048128914-1004\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'psaadm')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Plesk Services Monitor.lnk = C:\Program Files\SWsoft\Plesk\admin\bin\traymonitor.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - ESC Trusted Zone: http://www.eset.com
O15 - ESC Trusted Zone: http://www.grc.com
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://apache.cs.utah.edu
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{72D26AB3-7FA3-4658-8DD1-7417923A9004}: NameServer =,
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: DrWebCom - Doctor Web Ltd. - C:\Program Files\SWsoft\Plesk\DrWeb\drwebcom.exe
O23 - Service: Kaspersky Antivirus TM (kavsvc) - SWsoft, Inc - C:\Program Files\SWsoft\Plesk\kav\kavsvc.exe
O23 - Service: MailEnable List Connector (MELCS) - Unknown owner - C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\BIN\MELSC.EXE
O23 - Service: MailEnable Mail Transfer Agent (MEMTAS) - Unknown owner - C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\BIN\MEMTA.EXE
O23 - Service: MailEnable Postoffice Connector (MEPOCS) - Unknown owner - C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\BIN\MEPOC.EXE
O23 - Service: MailEnable POP Service (MEPOPS) - Unknown owner - C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\BIN\MEPOPS.EXE
O23 - Service: MailEnable SMTP Connector (MESMTPCS) - Unknown owner - C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\BIN\MESMTPC.EXE
O23 - Service: MySQL Server (MySQL) - Unknown owner - C:\Program Files\SWsoft\Plesk\Databases\MySQL\bin\mysqld-nt.exe
O23 - Service: Plesk Name Server (named) - Unknown owner - C:\Program Files\SWsoft\Plesk\dns\bin\named.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Persits Software EmailAgent - Persits Software, Inc. - C:\Program Files\Persits Software\AspEmail\BIN\EmailAgent.exe
O23 - Service: PleskControlPanel - Apache Software Foundation - C:\Program Files\SWsoft\Plesk\admin\bin\Apache.exe
O23 - Service: Plesk SQL Server (PleskSQLServer) - Unknown owner - C:\Program Files\SWsoft\Plesk\MySQL\bin\mysqld-nt.exe
O23 - Service: Plesk Management Service (plesksrv) - SWsoft, Inc - C:\Program Files\SWsoft\Plesk\admin\bin\plesksrv.exe
O23 - Service: Plesk PopPass Service (PopPassD) - SWsoft, Inc - C:\Program Files\SWsoft\Plesk\admin\bin\PopPassD.exe
O23 - Service: Plesk SSL Wrapper Service (stunnel) - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\bin\stunnel.exe
O23 - Service: TCP/IP NetBIOS (TCP-IP) - Unknown owner - C:\WINDOWS\system32\tcpsrv.exe
O23 - Service: Terman WSM Server (Terman) - Unknown owner - C:\WINDOWS\system32\terwain.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Program Files\SWsoft\Plesk\Additional\Tomcat\bin\tomcat5.exe

End of file - 8360 bytes
  • 4
  • 4
  • 4
  • +1
3 Solutions
The first thing you do is lock down you Access to that server from the outside and from the inside out.  Remove the Default gateway.
Unplugg the Network Cable.
Remove all the files that were put on there.
Run Anti-virus checks, spyware checks, windows Defender.

They got in probabaly because the server is sitting behind a very unsecure firewall.  Do you allow HTTP, HTTPS, SMTP, ICMP, RDP or any other type of traffic through yoru firewall.

Do you have your server in your DMZ?


First look in your company, maybe people have admin access? Or the server room isn't locked, the admin is always logged on? You have used a weak password that is easily guessed?

If the server is used as webserver, you might not have locked it down enough? Anonymous accounts should only be able to have read access...

You might not have applied all patches? Also according to hijackthis you aren't using a firewall, or it is an unknown one!

If you know and trust "tscupgrd.exe", then leave it, if not, use hijackthis to remove all those entries.

The same applies for thess:

O17 - HKLM\System\CCS\Services\Tcpip\..\{72D26AB3-7FA3-4658-8DD1-7417923A9004}: NameServer =,
O23 - Service: TCP/IP NetBIOS (TCP-IP) - Unknown owner - C:\WINDOWS\system32\tcpsrv.exe
O23 - Service: Terman WSM Server (Terman) - Unknown owner - C:\WINDOWS\system32\terwain.exe

Remove this:

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://xxx-xxx-xx-xx:9370/fpadmdll.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

rsorrellsAuthor Commented:
The server is a leased server that's across the country, so I can't sever my own link to the server.  I'll try running the programs that you mentioned.  Its running Windows 2003 Server, and the latest version of Plesk.  It hosts about 20 web sites.  The firewall is the built-in Windows firewall.    I'm allowing remote desktop, MS SQL 2000 (with limited scope).   Http and https are allowed in.   With Plesk, it uses several Linux-oriented programs such as Apache, MY SQL, etc.  

Each of these music files created have shortcuts pointing to here:
This contains the master music directory.

I'm wondering if there's some good information in the files or folders as to which account created them?

WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

rsorrellsAuthor Commented:
Thanks rindi, good suggestions.   I will remove those, and get with the hosting company for help also.
You probably won't find much info about "who". It looks as if the windows firewall is off, or hijackthis wouldn't have complained. Change your password and use a strong one. Change it often. whenever possible don't use the administrator account when logging on, but rather use an account with limited credentials.
rsorrellsAuthor Commented:
I'm wondering if there's any services or programs that can scan for vulnerabilities?  I've used Hackersafe before, but haven't in about 2 years.  

Download the superantispyware software, it is very good for that.


Often it also helps to scan the pc with an online scanner, lice trendmicro's housecall.

This is not all that unusual, and you should be able to get it cleaned up in short order.

Step-1 should to get rid of the current malware and backdoors that may have been installed. I will review your HJT log in a second and make some suggestions, but here is a list of things you should do after the immediate problem is fixed:

Step-2 (after some cleanup)

(1) Download and run MBSA from http://www.microsoft.com/technet/security/tools/mbsahome.mspx and follow as many of the suggestions as possible. Specifically, install any recommended updates.

(2) Examine your list of usernames and check if the hackers created new users that shouldn't be there.

(3) Change all Admin passwords, make them long and hard to break.

(4) Check if any network ports are open that should not be (use TCPview http://www.microsoft.com/technet/sysinternals/Networking/TcpView.mspx).
Also, type "netstat -ab" from a command prompt.

(5) Search for any files created on your system around the time of the original break-in.

(6) Since this is a web server, review any web applications and scripts (asp, php...) that may have known vulnerabilities.
rindi already identified most of the bad entries in your HJT log. If those are not things that you installed yourself, clean those up first. I suspect one or more of those is an ftp server being used by the hackers to download/upload music files.
You can also post you HJT log to http://www.hijackthis.de/ and click "Analyze" to get a review. But if you're not sure about something don't disable it but check back here first.

This looks like a fairly straightforward breakin, most likely due to one of two reasons: (a) Password guessing or (b) Exploiting some unpatched vulnerability.

To add to my list of post-cleanup steps, you should set an account lockout policy so an account is locked out after x number of failed attempts.

I also suggest the following:

(1) Download Autoruns from: http://www.microsoft.com/technet/sysinternals/utilities/Autoruns.mspx
(2) Run the program. It lists a bunch of things that start when Windows starts.
(3) From the menu bar, select Options, and uncheck "Include Empty Locations" and "check" "Hide Microsoft Entries"
    Important -> Then click the Refresh button in the toolbar.
(4) This will give you a shorter, more meaningful list.
(5) Use the File -> Save as.. option in Autoruns to save the list to a text file and then cut and paste it here.

Autoruns does have the option to disable startups that you believe to be bad, so you could use it to disable those items you're fairly sure about. You will need to reboot for changes to take effect.

Good plan to save the output of "netstat -ab" before and after cleanup so you can check/compare.

To do a hijackthis analysis use the http://hijackthis.de/en link, or you'll do an analysis based on german versions of your software, which can give you incorrect results (you can also use the link r-k gave you, then click on the language icon at the top left of your page to get there).
rsorrellsAuthor Commented:
I found the root directory and several others had the read/write permission of 'everyone'.   I'm not sure how that got there.   I've fixed it.

One thing that I suspect is a vulnerability in PHP5.  I installed it replacing PHP4 for the Plesk operating system.   I'm sure its not configured securly.  Is there a PHP security scanner for Windows that could help identify if this is the problem?  

Sorry, I don't know of an automated PHP security scanner. You probably have to stay on top of news and updates by joining their mailing list, I suspect.

Here are a few PHP security links I ran across that may help:

Thanks and good luck.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 4
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now