| Author |
Message |
Ali
Guest
|
 Posted:
Wed Nov 23, 2005 6:23 am Post subject:
Hacked Windows 2000 Server |
|
|
Hi,
I published this to a Windows Support group and have got zilch in the
way of replies - this seems to be the best group I've found so far and
am hoping someone may be able to help with this problem I have.
I have just patched up a client server after its security was
compromised but have am unable to open the add/remove programs applet
from the control panel. The mouse icon briefly flickers then does
nothing. I don't really have the option of rebuilding this system so
would really like to fix this.
This is a Windows 2000 Server running SP4 and IIS 5 - this hosts their
website to the outside world and is most likely how the hackers got in.
The initial hack was in the form of r_server.exe running as a service,
I've seen this before so know it's a form of remote control. The
server also had a second service - qostcp... (I can't quite remember
the exact name), this was listening on port 443 preventing their usual
ssl site from working.
All this was pretty simple to clean off although I'd love to know the
specifics on how they got them on there! The bit that is stumping me
right now is the add/remove programs applet, I'm guessing they've (the
hacker) locked this down somehow. I've tried re-registering related
..dll files but have got nowhere.
If anyone has seen this problem or any ideas and can help with this it
would be greatly appreciated. Also, if anyone knows more information
on how they got the remote control on the server that would be really
useful to have for securing this.
Kind regards
Alastair |
|
| Back to top |
|
 |
Triffid
Guest
|
| Posted:
Wed Nov 23, 2005 6:41 am Post subject:
Re: Hacked Windows 2000 Server |
|
|
Ali wrote:
| Quote: | Hi,
I published this to a Windows Support group and have got zilch in the
way of replies - this seems to be the best group I've found so far and
am hoping someone may be able to help with this problem I have.
I have just patched up a client server after its security was
compromised but have am unable to open the add/remove programs applet
from the control panel. The mouse icon briefly flickers then does
nothing. I don't really have the option of rebuilding this system so
would really like to fix this.
|
You don't have that option either. You cannot 'fix' a compromised system
because you do not know exactly what unauthorised changes were made. The
system should be considered compromised until such time as it has been
rebuilt from trusted, original media while disconnected from the
network. The system should then be hardened, and reconnected behind a
properly configured firewall.
Triffid
| Quote: | This is a Windows 2000 Server running SP4 and IIS 5 - this hosts their
website to the outside world and is most likely how the hackers got in.
The initial hack was in the form of r_server.exe running as a service,
I've seen this before so know it's a form of remote control. The
server also had a second service - qostcp... (I can't quite remember
the exact name), this was listening on port 443 preventing their usual
ssl site from working.
All this was pretty simple to clean off although I'd love to know the
specifics on how they got them on there! The bit that is stumping me
right now is the add/remove programs applet, I'm guessing they've (the
hacker) locked this down somehow. I've tried re-registering related
.dll files but have got nowhere.
If anyone has seen this problem or any ideas and can help with this it
would be greatly appreciated. Also, if anyone knows more information
on how they got the remote control on the server that would be really
useful to have for securing this.
Kind regards
Alastair
|
|
|
| Back to top |
|
|
Duane Arnold
Guest
|
| Posted:
Wed Nov 23, 2005 9:22 am Post subject:
Re: Hacked Windows 2000 Server |
|
|
| Quote: | If anyone has seen this problem or any ideas and can help with this it
would be greatly appreciated. Also, if anyone knows more information
on how they got the remote control on the server that would be really
useful to have for securing this.
Most likely it is insecure WEB applications developed by WEB programmers. I |
found out from some training that someone can hack right through a textbox
control issuing commands to the O/S if the underlying parts of the
application is not secure.
Don't they have server that you can rebuild and try to secure as much as
possible? I wouldn't trust a compromised WEB server.
Duane :) |
|
| Back to top |
|
|
Wolfgang Kueter
Guest
|
| Posted:
Wed Nov 23, 2005 3:39 pm Post subject:
Re: Hacked Windows 2000 Server |
|
|
Am Tue, 22 Nov 2005 16:23:00 -0800 schrieb Ali:
| Quote: | I have just patched up a client server after its security was
compromised
|
Doesn't work.
| Quote: | but have am unable to open the add/remove programs applet
from the control panel. The mouse icon briefly flickers then does
nothing. I don't really have the option of rebuilding this system so
would really like to fix this.
|
The is and never has never been no other fix for a compromised system than
a complete rebuild. Stop whining, don't lose more time, start reinstalling
the box *now*.
Wolfgang |
|
| Back to top |
|
|
Mike
Guest
|
| Posted:
Thu Nov 24, 2005 12:02 am Post subject:
Re: Hacked Windows 2000 Server |
|
|
Ali wrote:
| Quote: | The initial hack was in the form of r_server.exe running as a service,
I've seen this before so know it's a form of remote control.
|
That'll be the program Radmin from www.radmin.com. Not a virus or trojan
but a perfectly legit remote access program. Anyway, as others have
said, don't patch. Rip it out, format and rebuild securely with a proper
hardware firewall. |
|
| Back to top |
|
|
Leythos
Guest
|
| Posted:
Thu Nov 24, 2005 12:14 am Post subject:
Re: Hacked Windows 2000 Server |
|
|
In article <us-dnb52z5A9MxneRVnyug@pipex.net>, honey@michaelmoyse.co.uk
says...
| Quote: | Ali wrote:
The initial hack was in the form of r_server.exe running as a service,
I've seen this before so know it's a form of remote control.
That'll be the program Radmin from www.radmin.com. Not a virus or trojan
but a perfectly legit remote access program. Anyway, as others have
said, don't patch. Rip it out, format and rebuild securely with a proper
hardware firewall.
|
We use RADMIN 2.1 on our networks for all machines and servers, it works
well and has for years, but Symantec detects it as a trojan so we
manually include an exception for it.
--
spam999free@rrohio.com
remove 999 in order to email me |
|
| Back to top |
|
|
Mike
Guest
|
| Posted:
Thu Nov 24, 2005 4:47 pm Post subject:
Re: Hacked Windows 2000 Server |
|
|
Leythos wrote:
| Quote: | We use RADMIN 2.1 on our networks for all machines and servers, it works
well and has for years, but Symantec detects it as a trojan so we
manually include an exception for it.
|
Sounds about par for the course for Symantec ;-) |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in