Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Nimda - or a more serious hack? 1

Status
Not open for further replies.
todobear

todobear

Programmer
Aug 18, 2001
7
US
Back in Sept a client's Win2k SBS server got hit by Nimda - despite having a full complement of critical patches. It took about a week to clean the server and stations and make some changes to lock down the router, and everything seemed back to normal. About a week ago, we suddenly discovered that we could no longer administer Routing and Remote Access - attempting to expand it or view properties gives 'you do not have sufficient permissions'. The routing service looks normal, is still under the control of LocalSystem, and starts/stops normally. Clients can still VPN in. But we can't view or administer.

2 days ago, the server began once again spewing data on SMTP/25. This is despite the fact that the server and all systems on the network come up clean under Inoculan scans. And even though we have closed down high ports on the Netopia router, it appears as if some high port traffic is still getting thru.

We'd be interested and appreciative to hear any opinions/suggestions on this case. Are the 2 problems connected? Is it Nimda again? Or have we been backdoored? Do we give up and reformat/reinstall?

Thanks in advance,
Michel Bolsey
 
Sort by date Sort by votes
I feel a bit like a broken record here (and if you fully understand that metaphor then you understand I've been at this for a while): Once compromised with NIMDA, the only way to be CERTAIN you are clean is to do a FULL FORMAT and REINSTALL. Restoring from a pre-CodeRed backup will work so long as you fully patch the machine before you reattach it to the network. Note that NIMDA built on vulnerabilities created by CodeRed- you got taken by CodeRed first, NIMDA second.

Without more details that you probably shouldn't offer over a public forum there is no way to certify that you've been back-door'ed, but it sure as heck sounds as if you have been. Nimda opened up your machine to anyone who came looking- somebody did and gave themselves admin access through any one of countless backdoors that can be installed. A backdoor in NOT necessarily a virus, it is a configuration change that allows an unknown remote user to administer your machine.

Hunting down what backdoors are in place (and I guarantee you if there is one, there are several) is an excellent intellectual exercise, but there is no way you can be absolutely certain you got them all. Good luck.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
268
Aquiles Vidal
Aquiles Vidal
ADB100
  • Locked
  • Question
Single Windows 7 Ultimate workstation not applying Registry, Drive Map or Printers GPO settings
Replies
1
Views
145
technome
technome
DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
277
DrB0b
DrB0b
mangentle
  • Locked
  • Question
What could be the potential causes if a Microsoft Windows Server is experiencing slow network!
Replies
1
Views
406
gbaughma
gbaughma
StevenFromSouth
  • Locked
  • Question
VPN Connects but cannot access remote network computers or folders
Replies
1
Views
116
StevenFromSouth
StevenFromSouth

Part and Inventory Search

Sponsor

Back
Top