Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

NT Hacked? How can I tell? Where can I look?

Status
Not open for further replies.
useractive

useractive

Programmer
Jun 21, 2001
98
0
0
US
I have a feeling an NT Server in a remote office has been the victim of foul play. Ever since Monday, accounts have been locked out after 3 attempts (when nobody was on the system) and other such weird things. The event viewer log was also cleared for the day of the 15th only. My questions are these:

Is there a way to look around and see if anything was installed on there? (Packet sniffer, etc).

Is there a way to tell if anything has been done like password programs or other type stuff installed?

I'm looking at getting zone alarm to run across the computer to tell, but I want to trace back the IP address of whatever did this somehow. Any suggestions or comments would be helpful.

Thanks,
Swish
 
Sort by date Sort by votes
You can allways search the drive for files modified since the suspected date. Take a good look at all the trojans out there and understand what they do, i.e., if you find a program root.exe (nimda) is on the box. It is important to keep up on this if the server is running iis and does not have urlscan or a good firewall you've probably got nimda. To find out info for the future start auditing the files in the system you think are important. Just having a lockout means someone was trying not neccessarily succeeding.

Hope that helps


 
Upvote 0 Downvote
do a netstat at a dos prompt on the server. this will tell you if anything is connected/listening/established on the various ports.
 
Upvote 0 Downvote
Better yet - go to download.com and get two applications that were instrumental to my tracing of the perp who was using my web server as a DDOS zombie.

Get ActivePorts and then go our and get Belarc. I managed to find out that IRC port was running on the box and then used Belarc - it details EVERYTHING on the machine. I noted a copy of mIRC on the server - funny I didn't put it there.

In the Belarc report if there's an asterisk next to the app name it means clicking it will bring you to the location of the app itself. Turns out the hacker or hackers had named the mIRC client as one of the unicode drivers. So every time the system booted, it would start.

Don't ask me about web hacks on IIS 4.0 though. Most of the ones that happened came out of China so not much hope of ever prosecuting that. We applied all the service packs, ran the Microsoft Baseline Security analysis tool on it and it's pretty well locked down now.

Tony
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

microsGuy16
  • Locked
  • Question
Can not copy files to Mapped drive
Replies
0
Views
109
microsGuy16
microsGuy16
ravalos
  • Question
Problem with PDFs in IIS
Replies
1
Views
244
gbaughma
gbaughma
maybeimaleo
  • Locked
  • Question
Can SMTP Be Migrated From 2008 R2 to 2019?
Replies
1
Views
59
maybeimaleo
maybeimaleo
Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
119
Aquiles Vidal
Aquiles Vidal
mangentle
  • Locked
  • Question
What could be the potential causes if a Microsoft Windows Server is experiencing slow network!
Replies
1
Views
138
gbaughma
gbaughma

Part and Inventory Search

Sponsor

Back
Top