Windows 2003 Security Problem NEED HELP ASAP

Posted on 2007-08-03
Last Modified: 2013-12-04
I believe my server has been compromised by someone and Im trying to close these ports can someone guide me in the direction to fix this ASAP
1967 [description: For your eyes only, WM FTP Server / Server: Uknown] 220- Microsoft server

4444 [Description: Crackdown, Oracle, Prosiak, Swift Remote / Service: Uknown] 220 Serv- U FTP Server v6.0 for WinSock ready

7800 [Description: Paltalk / Service: Uknown] 220 Serv-U FTP Server v4.1 for WinSock ready
Question by:jkaminsky
    LVL 32

    Expert Comment

    Yes, you are correct that some bootleg servers are running on your server.

    Please do the following:

    (1) Download Autoruns from:
    (2) Run the program. It lists a bunch of things that start when Windows starts.
    (3) From the menu bar, select Options, and uncheck "Include Empty Locations" and "check" "Hide Microsoft Entries"
        Important -> Then click the Refresh button in the toolbar.
    (4) This will give you a shorter, more meaningful list.
    (5) Examine that list and disable anything suspicious by un-checking it. Then reboot and see if it helped.
    (6) If not, or if not sure, you can use the File -> Save as.. option in Autoruns to save the list to a text file and then cut and paste it here.

    I highly recommend that you save the list created by Autoruns for future reference.

    Also, you can use the command "netstat -ab" at a command prompt to see what programs have which ports open. Use "netstat -ab > list.txt" to save that list to a file for later study as well.

    After you're got the most serious holes plugged you'll have to take further steps to remove any remaining infection and harden the server. I can post more tips after you try the above steps to get things under control a bit.


    Author Comment

    There are a lot of files not found on should I check all those
    LVL 32

    Expert Comment

    "..should I check all those"

    Did you mean "un-check", i.e. disable them?

    I would, but a safer thing might be to post thise sections (or the entire) of the Autoruns log here if you're not sure.
    LVL 27

    Accepted Solution

    For a fast scan you should download prevx 2.0 first.

    PREVX 2.0 is the most powerful security solution in the World.It safeguards your PC and personal information from theft and attack by Spyware, Rootkits, Trojans, Viruses, Bots, Adware and all other forms of Malware and Crimeware.


    Apart from that make a scan with superantispyware (free version)

    After both are run, you can start to remove these ftp services. Since these did not get onto your computer without any further programs in the background it's important to scan for these  malewares 1st.

    Then we can proceed with autoruns, as r-k suggests.

    LVL 1

    Expert Comment

    Use Process Explorer to find which applications you will need to remove. Looks like a FTP server, but I could be wrong. You can find the location and kill these processes. Also check the services under Computer Management.

    The hacker might have used rootkits to hide their stuff. Use Rootkit Revealer to see what is being hooked.

    A firewall will be able to close the unwanted ports. The most important part is to find how the hacker rooted your box. Check the logs and figure out what method the hacker used and close that door. This is assuming that the hacker left the logs unchanged for you to see. Double check to see if the hacker made backdoors incase you patched their bypass.
    LVL 10

    Expert Comment

    As a sidenote on the comments,

    I dont know what the true role of this server is in your network. But ask yourself one thing, If you where a hacker, would you make some things that obvious or would you conseal stuff and let the obvious mask those processes?

    On the far end, can the server still be trusted. And "if" its a domain controller, can it be that the AD has been flushed allready (NTLM hashes contained inside) and maybe all my accounts are compromised?

    If you ask me, i would try and find the leak before fixing. Unplug wan (if possible), fix the leak (if you can trace it using the logs), and reinstall the machine (if possible). Else all actions you take might be true for only a very short moment...

    -Good luck, Regards...

    Author Comment

    Great point Chris I'm looking at all these recomendations

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Join & Write a Comment

    When the confidentiality and security of your data is a must, trust the highly encrypted cloud fax portfolio used by 12 million businesses worldwide, including nearly half of the Fortune 500.
    Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now