Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Hackers on my SBS 4.5!!!! (HELP) 1

Status
Not open for further replies.
araspa

araspa

IS-IT--Management
Aug 4, 2003
18
0
0
AU
My ISP sent me an email informing me mid month that I was 1 gig over!!

doing a NETSTAT from dos I find a whole heap of ports and domains (that are definately not from us!)

Ive gone into MS PRoxy (2.0)
MY Server --> Right Click--> properties --> security
1) Ive ticked Enable packet filtering ... left it as default.. what should they be?
2) Domain Filters .. Ive explicitly denied the domains that I didnt know ie
adelphia.net
ameritech.net
comcast.net
cox.net
dialsprint.net

Is this just denying INTERNAL users from access these web sites .. if so not what I want!

Under Local Address Table ive put only our specific IP Range.

Now when I do a NETSTAT all of those domains are gone but Ive got
Localhost:1691
1693
1050
1034
1111
1107
1125
1121
1130
1126
1144
1140
1162
1159
13671
1181
Open.

Is there some sort of (FREEWARE) software that can scan for any programs that have been loaded?

Any specific place to look in the registry

HELP !!!!!!!!!!!!!!!!!!!!!!
 
Sort by date Sort by votes
First: do you have a firewall? If not, GET ONE!! And I mean that in the nicest, fastest possible way.

Next:
you can go to and click on OUR TOOLS on the left side. that has a free port scanner.
As well, check the hkey local machine/software/microsoft/windows/currentversion/run and runservices folders.
Also, run hijackthis available at run it and post the log that generates. don't delete anything it finds yet.
Check all your local and domain accounts, make sure all have strong passwords or are disabled. Shut down FTP and on all PC's and servers that do not require it.
Enable failed logon attempts.

Are you having a problem with relaying email?

Corie
 
Upvote 0 Downvote
Thanks fo rthe reply ...

Ok checking with the port scanner it all came up Green (OK)
Checking with Hijackthis The only hting that looks out of place is

mstinit.exe /logon

Ive downloaded Kerio(good firewall and works with NT4) and Wins wants to connect to
microsoft-ds.mcast.net
224.0.1.24

The only problem is .. now we have no mail :(
 
Upvote 0 Downvote
Actually we have incoming mail but not outgoing....get stuck in the exchange 5.5 queue. (STUPID NT4 box)

Looks like they are attaching themselves to our exchange server???



 
Upvote 0 Downvote
Make sure port 25 is open on the firewall and Internet Mail Service is running.
Open IMS, Click on Routing and check the Reroute Incoming SMTP... box. Add your domain and reroute to INBOUND.
Click on routing restrictions, and uncheck the box next to Hosts and Clients that can successfully authenticate. Check the box next to Hosts and Clients with these addresses and leave that box blank.
That will stop any relaying, and should restore the internet mail.

Corie
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Abdullah Al Maruf
  • Locked
  • Question
Telnet help for
Replies
2
Views
102
gbaughma
gbaughma
DrB0b
  • Locked
  • Question
Hybrid on prem AD with Azure AD
Replies
2
Views
84
DrB0b
DrB0b
James281
  • Locked
  • Question
Enrolment agent (enrol on behalf of) stopped working
Replies
1
Views
61
mikehook
mikehook
on3mansh0w
  • Locked
  • Question
[HELP] AD GPO not applied unexpectedly
Replies
0
Views
64
on3mansh0w
on3mansh0w
lacked
  • Locked
  • Question
problem with windows update on windows server 2016
Replies
1
Views
53
maybeimaleo
maybeimaleo

Part and Inventory Search

Sponsor

Back
Top