Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Server hacked

Status
Not open for further replies.
macmah

macmah

IS-IT--Management
Jul 18, 2003
2
US
My server was hacked. I use SAV which detected three viruses and I detected the other virus.

These viruses are:
IRC Trojan
Backdoor.IRC.Cloner
Backdoor Trojan
IRC Flood CM
Winnnt.exe (not id'ed by SAV as virus-Am I missing anything here???)

Winnnt.exe (an IRC) sits in a hidden system file at Winnt/System 32/Security/Bin. MS informs this is not a valid Windows file. Server rebooted fine after deletion of the Security/Bin.

Winnnt.exe program loads upon startup and prevents admin from using regedit and control - alt - delete and seeing processes. The registry key is under HKLM/Software/MS/Windows/Current Version/Run.

Trojan Horse scanners, audit logs, port scanners and virus scanners detect no further virus activity. MS said to rebuild the server. IT consultant said it's not necessary and to keep scanning and watching.

Any thoughts?? Should I rebuild the server? Or just continue to monitor and scan?

Thanks.
 
Sort by date Sort by votes
If you have good backups and have some time, I would rebuild the server. You never know if some other files had been tampered with or what other services or holes could be hidden now. My own personal preference would be to rebuild it.
 
Upvote 0 Downvote
I wrote about this irc.backdoor from my experience in another thread.

thread616-308410

take a look. I hope it provides you with insight from my experience.
 
Upvote 0 Downvote
i agree with the others.

the best thing to do if you are still having problems, is restore your backups.

But after you restore, make sure you apply the correct security so you dont get hacked again
 
Upvote 0 Downvote
The prevention of using regedit is usually caused by the virus disabling *.exe programs. However, as a tidbit, you can rename the regedit.exe program to regedit.com, and IT WILL now run. Then you can clean the Winnnt.exe out of the registry startup. I suggest you go online to Symentec and find out the correct procedure to remove this virus.

However, this may not solve all the issues, since you had a whole bunch of viruses at the same time. I would strongly suggest you reformat the drive and re-install the OS and applications (yes it is a lot of work, but at least you will have a clean system which works correctly!). Then be sure you install good antivirus software and keep it up to date. If this is a single system, I would also suggest adding a firewall to the system, such as Zone Alarm (available free from for home users).

HTH

David
 
Upvote 0 Downvote
I would download Spybot. This will run and get out any trojans that are in your registry. Very good program. You can get it off Download.com

I have used it on some of our infected servers and it worked great. Might be worth a try for you.
 
Upvote 0 Downvote
i also use a program called Active Ports (free) to look at what ports are being used. also, you will want to run the "netstat" command (at the command line) to look at the current connections and see if there are any "strange" connections. if you choose not rebuild the server, you will at least want to monitor the connections for a while. programs like spybot can help, but it, norton, and any other apps can miss things, especially if malicious apps or programs are made to elude these types of programs or updates are not applied. apps like those are not the cure-all, or we would not have the security issues we have today in IT. just because you have norton, spybot, or any other app, does not necessarily imply safety. lots of times, some paranoia will save you headaches in the future.
 
Upvote 0 Downvote
Of course playing with repairing the system is fun and teaches you a lot, it does not produce any peace of mind that the system is truly repaired!

Using spybot and similar programs (I like AdAware from also free and very effective)may help clean up the system, but you will never really know if you have totally fixed the situation unless you use brute force to rebuild it clean. Remember, this system has been hit by several different viruses at the same time, which may have damaged files to the extent that you can not really totally clean it out.

If there is anything important on this server, then I HIGHLY RECOMMEND the rebuild, then add antivirus, adaware or spybot software, and a firewall (if the system is not currently behind one) to protect your work. Then, once the system is rebuilt and clean (BEFORE PUTTING IT BACK ON THE INTERNET :), BACK IT UP and store the backup away safely somewhere!)

Good luck, and happy hunting.

David
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

MaioMaio
  • Locked
  • Question
Server Remote Desktop License
Replies
0
Views
205
MaioMaio
MaioMaio
Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
255
Aquiles Vidal
Aquiles Vidal
rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
293
suncit
suncit
antonio_dsanchez
  • Locked
  • Question
post-installation WSUS windows server 2016
Replies
0
Views
215
antonio_dsanchez
antonio_dsanchez
jamescpp
  • Locked
  • Question
Windos OpenSSH server vulnerability
Replies
0
Views
241
jamescpp
jamescpp

Part and Inventory Search

Sponsor

Back
Top