jkaminsky
asked on
Windows 2003 Security Problem NEED HELP ASAP
I believe my server has been compromised by someone and Im trying to close these ports can someone guide me in the direction to fix this ASAP
1967 [description: For your eyes only, WM FTP Server / Server: Uknown] 220- Microsoft server
4444 [Description: Crackdown, Oracle, Prosiak, Swift Remote / Service: Uknown] 220 Serv- U FTP Server v6.0 for WinSock ready
7800 [Description: Paltalk / Service: Uknown] 220 Serv-U FTP Server v4.1 for WinSock ready
1967 [description: For your eyes only, WM FTP Server / Server: Uknown] 220- Microsoft server
4444 [Description: Crackdown, Oracle, Prosiak, Swift Remote / Service: Uknown] 220 Serv- U FTP Server v6.0 for WinSock ready
7800 [Description: Paltalk / Service: Uknown] 220 Serv-U FTP Server v4.1 for WinSock ready
ASKER
There are a lot of files not found on should I check all those
"..should I check all those"
Did you mean "un-check", i.e. disable them?
I would, but a safer thing might be to post thise sections (or the entire) of the Autoruns log here if you're not sure.
Did you mean "un-check", i.e. disable them?
I would, but a safer thing might be to post thise sections (or the entire) of the Autoruns log here if you're not sure.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Use Process Explorer to find which applications you will need to remove. Looks like a FTP server, but I could be wrong. You can find the location and kill these processes. Also check the services under Computer Management.
http://www.softpedia.com/get/System/System-Info/Process-Explorer.shtml
The hacker might have used rootkits to hide their stuff. Use Rootkit Revealer to see what is being hooked.
http://www.download.com/RootkitRevealer/3000-2248_4-10543917.html
A firewall will be able to close the unwanted ports. The most important part is to find how the hacker rooted your box. Check the logs and figure out what method the hacker used and close that door. This is assuming that the hacker left the logs unchanged for you to see. Double check to see if the hacker made backdoors incase you patched their bypass.
http://www.softpedia.com/get/System/System-Info/Process-Explorer.shtml
The hacker might have used rootkits to hide their stuff. Use Rootkit Revealer to see what is being hooked.
http://www.download.com/RootkitRevealer/3000-2248_4-10543917.html
A firewall will be able to close the unwanted ports. The most important part is to find how the hacker rooted your box. Check the logs and figure out what method the hacker used and close that door. This is assuming that the hacker left the logs unchanged for you to see. Double check to see if the hacker made backdoors incase you patched their bypass.
As a sidenote on the comments,
I dont know what the true role of this server is in your network. But ask yourself one thing, If you where a hacker, would you make some things that obvious or would you conseal stuff and let the obvious mask those processes?
On the far end, can the server still be trusted. And "if" its a domain controller, can it be that the AD has been flushed allready (NTLM hashes contained inside) and maybe all my accounts are compromised?
If you ask me, i would try and find the leak before fixing. Unplug wan (if possible), fix the leak (if you can trace it using the logs), and reinstall the machine (if possible). Else all actions you take might be true for only a very short moment...
-Good luck, Regards...
I dont know what the true role of this server is in your network. But ask yourself one thing, If you where a hacker, would you make some things that obvious or would you conseal stuff and let the obvious mask those processes?
On the far end, can the server still be trusted. And "if" its a domain controller, can it be that the AD has been flushed allready (NTLM hashes contained inside) and maybe all my accounts are compromised?
If you ask me, i would try and find the leak before fixing. Unplug wan (if possible), fix the leak (if you can trace it using the logs), and reinstall the machine (if possible). Else all actions you take might be true for only a very short moment...
-Good luck, Regards...
ASKER
Great point Chris I'm looking at all these recomendations
Please do the following:
(1) Download Autoruns from: http://www.microsoft.com/technet/sysinternals/utilities/Autoruns.mspx
(2) Run the program. It lists a bunch of things that start when Windows starts.
(3) From the menu bar, select Options, and uncheck "Include Empty Locations" and "check" "Hide Microsoft Entries"
Important -> Then click the Refresh button in the toolbar.
(4) This will give you a shorter, more meaningful list.
(5) Examine that list and disable anything suspicious by un-checking it. Then reboot and see if it helped.
(6) If not, or if not sure, you can use the File -> Save as.. option in Autoruns to save the list to a text file and then cut and paste it here.
I highly recommend that you save the list created by Autoruns for future reference.
Also, you can use the command "netstat -ab" at a command prompt to see what programs have which ports open. Use "netstat -ab > list.txt" to save that list to a file for later study as well.
After you're got the most serious holes plugged you'll have to take further steps to remove any remaining infection and harden the server. I can post more tips after you try the above steps to get things under control a bit.