Help, I have been Hacked

[ftoddt]

Well shoot. Do to some ignorance on my part and others, my network has been hacked. Had a server temporarily not protected by the firewall. Had about 2000 print jobs in the que by users who are not there in the middle of the night. Printer definitely out of paper. Have found hacktool, and other viruses floating around.
How can I be sure that there are no hacker programs or trojans have been installed that will reopen ports in the night and allow a hacker inside. I have updated all service packs, and security patches. Antivirus and Firewall up to date. I have removed all viruses that antivirus has found. All servers and computers are scanning clean by various antivirus programs from different vendors. Still going over file permissions on servers and tighting them up. What should I look for in addition to the above.
Thanks in advance. This site is awesome.

 

[SYAR2003]

Hi!
AV's don't neccesary find all scumware like hacker troj's
Try scan with

http://www.trojanscan.com

 

[ftoddt]

Thank You,
I will check try it for sure.
Todd

 

[Xemus]

I would recomend a backup of data files and reinstalling the server. That's the only way you'll be sure it's clean. Rootkits are very hard to detect, due to the fact that most hide as normal files.

http://www.closedsocket.com

 

[ftoddt]

Thanks, I am not sure the file server or any of the servers were affected but cannot be totally sure. Did find a virus on the backup domain controller called wincom.exe but that is all so far but if the hacker used a password sniffer, would it not be sniffing the active directory users files?
Thanks I will do the backup and reinstall to be sure if you think it is necessary. I have a lot of configurations in the domain controllers and isa servers which will require a lot of time
Todd