Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Windows 2003 Security Problem NEED HELP ASAP

Posted on 2007-08-03
Medium Priority
Last Modified: 2013-12-04
I believe my server has been compromised by someone and Im trying to close these ports can someone guide me in the direction to fix this ASAP
1967 [description: For your eyes only, WM FTP Server / Server: Uknown] 220- Microsoft server

4444 [Description: Crackdown, Oracle, Prosiak, Swift Remote / Service: Uknown] 220 Serv- U FTP Server v6.0 for WinSock ready

7800 [Description: Paltalk / Service: Uknown] 220 Serv-U FTP Server v4.1 for WinSock ready
Question by:jkaminsky
LVL 32

Expert Comment

ID: 19630018
Yes, you are correct that some bootleg servers are running on your server.

Please do the following:

(1) Download Autoruns from: http://www.microsoft.com/technet/sysinternals/utilities/Autoruns.mspx
(2) Run the program. It lists a bunch of things that start when Windows starts.
(3) From the menu bar, select Options, and uncheck "Include Empty Locations" and "check" "Hide Microsoft Entries"
    Important -> Then click the Refresh button in the toolbar.
(4) This will give you a shorter, more meaningful list.
(5) Examine that list and disable anything suspicious by un-checking it. Then reboot and see if it helped.
(6) If not, or if not sure, you can use the File -> Save as.. option in Autoruns to save the list to a text file and then cut and paste it here.

I highly recommend that you save the list created by Autoruns for future reference.

Also, you can use the command "netstat -ab" at a command prompt to see what programs have which ports open. Use "netstat -ab > list.txt" to save that list to a file for later study as well.

After you're got the most serious holes plugged you'll have to take further steps to remove any remaining infection and harden the server. I can post more tips after you try the above steps to get things under control a bit.


Author Comment

ID: 19630058
There are a lot of files not found on should I check all those
LVL 32

Expert Comment

ID: 19630061
"..should I check all those"

Did you mean "un-check", i.e. disable them?

I would, but a safer thing might be to post thise sections (or the entire) of the Autoruns log here if you're not sure.
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 27

Accepted Solution

Tolomir earned 2000 total points
ID: 19630412
For a fast scan you should download prevx 2.0 first.

PREVX 2.0 is the most powerful security solution in the World.It safeguards your PC and personal information from theft and attack by Spyware, Rootkits, Trojans, Viruses, Bots, Adware and all other forms of Malware and Crimeware.


Apart from that make a scan with superantispyware (free version)


After both are run, you can start to remove these ftp services. Since these did not get onto your computer without any further programs in the background it's important to scan for these  malewares 1st.

Then we can proceed with autoruns, as r-k suggests.


Expert Comment

ID: 19634477
Use Process Explorer to find which applications you will need to remove. Looks like a FTP server, but I could be wrong. You can find the location and kill these processes. Also check the services under Computer Management.

The hacker might have used rootkits to hide their stuff. Use Rootkit Revealer to see what is being hooked.

A firewall will be able to close the unwanted ports. The most important part is to find how the hacker rooted your box. Check the logs and figure out what method the hacker used and close that door. This is assuming that the hacker left the logs unchanged for you to see. Double check to see if the hacker made backdoors incase you patched their bypass.
LVL 11

Expert Comment

by:Chris Gralike
ID: 19643067
As a sidenote on the comments,

I dont know what the true role of this server is in your network. But ask yourself one thing, If you where a hacker, would you make some things that obvious or would you conseal stuff and let the obvious mask those processes?

On the far end, can the server still be trusted. And "if" its a domain controller, can it be that the AD has been flushed allready (NTLM hashes contained inside) and maybe all my accounts are compromised?

If you ask me, i would try and find the leak before fixing. Unplug wan (if possible), fix the leak (if you can trace it using the logs), and reinstall the machine (if possible). Else all actions you take might be true for only a very short moment...

-Good luck, Regards...

Author Comment

ID: 19646086
Great point Chris I'm looking at all these recomendations

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Experts Exchange expands question security options for members.
Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question