Hacked by my own server?

Posted on 2009-02-18
Last Modified: 2013-11-22
Here is a report of something i got from my antivirus software server (We use Kasperski Enterprise):

Event Hacker attack detection happened on computer FHALE in the domain OWPRNETWORK at Mon Feb 16 10:56:44 2009 Intrusion.Win.LSASS.exploit! Attacker's IP address: Protocol/service: TCP on local port 139. Time: 2/16/2009 10:56:44 AM

Attacker's IP address: is my domain controller, file server, print server...

Sould i be freaking Yet?

What do i do?

Thanks as usual,

Question by:jpertchik
    LVL 31

    Accepted Solution

    The LSASS exploit was patched in XP SP2, and is blocked by the firewall when it comes from the internet, and finally Kaspersky detects and blocks it as well. So the workstation is safe. But the fact that it's coming from your domain controller is disconcerting. Those kind of attacks typically come from somewhere out on the internet.

    If you have a rogue process running on your domain controller, your whole network is compromised and it's reason to be freaking. Examine the DC thoroughly for anything suspicious. Run antivirus scans, run hijackthis, run sysinternals process explorer and sysinternals autoruns, identify any strange looking processes or services, and terminate them.

    If you were compromised, check your users and your group policies for suspicious entries. If I were a hacker and I gained control over a domain controller, first thing I'd do is create an administrator user so that I have free reign over the whole network. Look for strange shares or permissions added to critical folder shares, newly created users, and administrator users which have had their passwords changed.

    Good luck
    LVL 23

    Expert Comment

    In addition to the above advice, please check your DC & other servers for missing Operating system or other critical Patches, Microsoft Baseline Security Analyzer is a good tool to assist here.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Suggested Solutions

    UPDATE - 6/15/2011 Added support for Release Update 6 Maintenance Patch 2 Point Patch 1 (RU6 MP2 PP1). Fixed a defect in the username field that was hard-coded to look for a specific domain (left over code from testing). This release will be the …
    Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now