Windows 2003 Security Problem NEED HELP ASAP

I believe my server has been compromised by someone and Im trying to close these ports can someone guide me in the direction to fix this ASAP
1967 [description: For your eyes only, WM FTP Server / Server: Uknown] 220- Microsoft server

4444 [Description: Crackdown, Oracle, Prosiak, Swift Remote / Service: Uknown] 220 Serv- U FTP Server v6.0 for WinSock ready

7800 [Description: Paltalk / Service: Uknown] 220 Serv-U FTP Server v4.1 for WinSock ready
jkaminskyAsked:
Who is Participating?
 
TolomirAdministratorCommented:
For a fast scan you should download prevx 2.0 first.

PREVX 2.0 is the most powerful security solution in the World.It safeguards your PC and personal information from theft and attack by Spyware, Rootkits, Trojans, Viruses, Bots, Adware and all other forms of Malware and Crimeware.
http://info.prevx.com/downloadprevx2.asp


---

Apart from that make a scan with superantispyware (free version)

www.superantispyware.com

---
After both are run, you can start to remove these ftp services. Since these did not get onto your computer without any further programs in the background it's important to scan for these  malewares 1st.

Then we can proceed with autoruns, as r-k suggests.


Tolomir
0
 
r-kCommented:
Yes, you are correct that some bootleg servers are running on your server.

Please do the following:

(1) Download Autoruns from: http://www.microsoft.com/technet/sysinternals/utilities/Autoruns.mspx
(2) Run the program. It lists a bunch of things that start when Windows starts.
(3) From the menu bar, select Options, and uncheck "Include Empty Locations" and "check" "Hide Microsoft Entries"
    Important -> Then click the Refresh button in the toolbar.
(4) This will give you a shorter, more meaningful list.
(5) Examine that list and disable anything suspicious by un-checking it. Then reboot and see if it helped.
(6) If not, or if not sure, you can use the File -> Save as.. option in Autoruns to save the list to a text file and then cut and paste it here.

I highly recommend that you save the list created by Autoruns for future reference.

Also, you can use the command "netstat -ab" at a command prompt to see what programs have which ports open. Use "netstat -ab > list.txt" to save that list to a file for later study as well.

After you're got the most serious holes plugged you'll have to take further steps to remove any remaining infection and harden the server. I can post more tips after you try the above steps to get things under control a bit.

0
 
jkaminskyAuthor Commented:
There are a lot of files not found on should I check all those
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
r-kCommented:
"..should I check all those"

Did you mean "un-check", i.e. disable them?

I would, but a safer thing might be to post thise sections (or the entire) of the Autoruns log here if you're not sure.
0
 
TyrannusCommented:
Use Process Explorer to find which applications you will need to remove. Looks like a FTP server, but I could be wrong. You can find the location and kill these processes. Also check the services under Computer Management.
http://www.softpedia.com/get/System/System-Info/Process-Explorer.shtml

The hacker might have used rootkits to hide their stuff. Use Rootkit Revealer to see what is being hooked.
http://www.download.com/RootkitRevealer/3000-2248_4-10543917.html

A firewall will be able to close the unwanted ports. The most important part is to find how the hacker rooted your box. Check the logs and figure out what method the hacker used and close that door. This is assuming that the hacker left the logs unchanged for you to see. Double check to see if the hacker made backdoors incase you patched their bypass.
0
 
Chris GralikeSpecialistCommented:
As a sidenote on the comments,

I dont know what the true role of this server is in your network. But ask yourself one thing, If you where a hacker, would you make some things that obvious or would you conseal stuff and let the obvious mask those processes?

On the far end, can the server still be trusted. And "if" its a domain controller, can it be that the AD has been flushed allready (NTLM hashes contained inside) and maybe all my accounts are compromised?

If you ask me, i would try and find the leak before fixing. Unplug wan (if possible), fix the leak (if you can trace it using the logs), and reinstall the machine (if possible). Else all actions you take might be true for only a very short moment...

-Good luck, Regards...
0
 
jkaminskyAuthor Commented:
Great point Chris I'm looking at all these recomendations
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.