Questions

hacked suspicion

Tags:
+
0 Votes
Locked

hacked suspicion

o2rres
Hello,
Please, someone help me.
If this is not the right forum please tell me which could it be.

I run this server on Win 2000 server, when I run Netstat I always see connections established involving ldap.
Am I being hacked and someone is using my server to send spam?.
Server name: PPSERVER2K
Dominium: plastic-plumbers.com.mx


Netstat listing follows:

Active Connections

Proto Local Address Foreign Address State
TCP PPSERVER2K:ldap PPSERVER2K.plastic-plumbers.com.mx:1078 ESTABLISHED
TCP PPSERVER2K:ldap PPSERVER2K.plastic-plumbers.com.mx:1080 ESTABLISHED
TCP PPSERVER2K:ldap PPSERVER2K.plastic-plumbers.com.mx:1081 ESTABLISHED
TCP PPSERVER2K:ldap PPSERVER2K.plastic-plumbers.com.mx:1084 ESTABLISHED
TCP PPSERVER2K:1037 PPSERVER2K.plastic-plumbers.com.mx:ldap CLOSE_WAIT
TCP PPSERVER2K:1078 PPSERVER2K.plastic-plumbers.com.mx:ldap ESTABLISHED
TCP PPSERVER2K:1080 PPSERVER2K.plastic-plumbers.com.mx:ldap ESTABLISHED
TCP PPSERVER2K:1081 PPSERVER2K.plastic-plumbers.com.mx:ldap ESTABLISHED
TCP PPSERVER2K:1084 PPSERVER2K.plastic-plumbers.com.mx:ldap ESTABLISHED
TCP PPSERVER2K:ldap PP22:4314 TIME_WAIT
TCP PPSERVER2K:ldap PP22:4315 TIME_WAIT
TCP PPSERVER2K:ldap PPSERVER2K.plastic-plumbers.com.mx:1054 ESTABLISHED
TCP PPSERVER2K:ldap PPSERVER2K.plastic-plumbers.com.mx:2124 TIME_WAIT
TCP PPSERVER2K:ldap PPSERVER2K.plastic-plumbers.com.mx:2125 ESTABLISHED
TCP PPSERVER2K:ldap PPSERVER2K.plastic-plumbers.com.mx:2129 TIME_WAIT
TCP PPSERVER2K:ldap PPSERVER2K.plastic-plumbers.com.mx:2130 TIME_WAIT
TCP PPSERVER2K:ldap PPSERVER2K.plastic-plumbers.com.mx:2135 TIME_WAIT
TCP PPSERVER2K:ldap PPSERVER2K.plastic-plumbers.com.mx:2136 TIME_WAIT
TCP PPSERVER2K:ldap PPSERVER2K.plastic-plumbers.com.mx:2140 TIME_WAIT
TCP PPSERVER2K:ldap PPSERVER2K.plastic-plumbers.com.mx:2141 TIME_WAIT
TCP PPSERVER2K:ldap PPSERVER2K.plastic-plumbers.com.mx:2154 TIME_WAIT
TCP PPSERVER2K:ldap PPSERVER2K.plastic-plumbers.com.mx:2155 TIME_WAIT
TCP PPSERVER2K:microsoft-ds PP10:4369 ESTABLISHED
TCP PPSERVER2K:microsoft-ds PPSERVER2K.plastic-plumbers.com.mx:1204 ESTABLISHED
TCP PPSERVER2K:1026 PPSERVER2K.plastic-plumbers.com.mx:1056 ESTABLISHED
TCP PPSERVER2K:1026 PPSERVER2K.plastic-plumbers.com.mx:1209 ESTABLISHED
TCP PPSERVER2K:1054 PPSERVER2K.plastic-plumbers.com.mx:ldap ESTABLISHED
TCP PPSERVER2K:1056 PPSERVER2K.plastic-plumbers.com.mx:1026 ESTABLISHED
TCP PPSERVER2K:1204 PPSERVER2K.plastic-plumbers.com.mx:microsoft-ds ESTABLISHED
TCP PPSERVER2K:1209 PPSERVER2K.plastic-plumbers.com.mx:1026 ESTABLISHED
TCP PPSERVER2K:1823 PPSERVER2K.plastic-plumbers.com.mx:ldap CLOSE_WAIT
TCP PPSERVER2K:2121 PPSERVER2K.plastic-plumbers.com.mx:epmap TIME_WAIT
TCP PPSERVER2K:2122 PPSERVER2K.plastic-plumbers.com.mx:1026 TIME_WAIT
TCP PPSERVER2K:2125 PPSERVER2K.plastic-plumbers.com.mx:ldap ESTABLISHED
TCP PPSERVER2K:2126 PPSERVER2K.plastic-plumbers.com.mx:epmap TIME_WAIT
TCP PPSERVER2K:2127 PPSERVER2K.plastic-plumbers.com.mx:1026 TIME_WAIT
TCP PPSERVER2K:2131 PPSERVER2K.plastic-plumbers.com.mx:epmap TIME_WAIT
TCP PPSERVER2K:2132 PPSERVER2K.plastic-plumbers.com.mx:1026 TIME_WAIT
TCP PPSERVER2K:2138 PPSERVER2K.plastic-plumbers.com.mx:epmap TIME_WAIT
TCP PPSERVER2K:2139 PPSERVER2K.plastic-plumbers.com.mx:1026 TIME_WAIT
TCP PPSERVER2K:2144 DEL0000F0A2ACEA:http TIME_WAIT
TCP PPSERVER2K:2146 DEL0000F0A2ACEA:http TIME_WAIT
TCP PPSERVER2K:2152 PPSERVER2K.plastic-plumbers.com.mx:epmap TIME_WAIT
TCP PPSERVER2K:2153 PPSERVER2K.plastic-plumbers.com.mx:1026 TIME_WAIT
TCP PPSERVER2K:3389 dsl-189-141-19-90.prod-infinitum.com.mx:1595 ESTABLISHED
- - - - - - - - - - -

This remote connection is mine from home.

Thanks in advance,
Oscar Torres
  • +
    0 Votes
    HAL 9000 Moderator

    And your VPN into the Sever has been hijacked through an infection of Mal Ware/Spy Ware on your home computer.

    This is quite common when Proper Security models are not followed to allow remote connections into the Business network.

    First thing to do is kill off the Remote Connection on the Server and disable all remote connections for the time being.

    Then load some Spy Ware programs like Ad Aware SE

    http://tinyurl.com/lvov4

    Spy Bot S&D

    http://tinyurl.com/yrwy2

    Download & install both of these tools and then update them as required. Then reboot into Safe Mode and scan your home computer and remove any infections that you have picked up along the way. When you have run one scan and cleaned off the infections rerun the scan again just to make sure that you have actually removed the problems and they there was nothing hiding under them. Keep rerunning the scans till the system comes up as clean.

    With Spy Bot S&D it will pick up Spy Ware Like activity so things like Windows Defender and some Internet Banking Programs may read as false positives so make sure that you look at every thing that it picks up and untick the box if the item is something that you actually use then remove the other files and rerun the scan again till it comes up with either a clean system or just the files that you need kept on the system.

    Once you have done this you can then set about creating another remote access point to your server but this time make sure that you don't use the same protocols and make sure that you keep your Home Machine clean by performing Spy Ware Scans in Safe Mode at least once a week and daily if you visit Porn Sites, Gambling Sites, and many Free Web Sites for people to use as these are quite often loaded with Spy Ware.

    Col

    +
    0 Votes
    Tig2

    Get a firewall up and running- Zone Free will stop a lot of it. They have a server edition but try it on your home machine first and see how you go. It's free so you won't lose anything.

    Also keep a copy of CCleaner handy. After your Spy and AV run, run your CCleaner. You can find it at CCleaner.com.

    Best of luck to you!

  • +
    0 Votes
    HAL 9000 Moderator

    And your VPN into the Sever has been hijacked through an infection of Mal Ware/Spy Ware on your home computer.

    This is quite common when Proper Security models are not followed to allow remote connections into the Business network.

    First thing to do is kill off the Remote Connection on the Server and disable all remote connections for the time being.

    Then load some Spy Ware programs like Ad Aware SE

    http://tinyurl.com/lvov4

    Spy Bot S&D

    http://tinyurl.com/yrwy2

    Download & install both of these tools and then update them as required. Then reboot into Safe Mode and scan your home computer and remove any infections that you have picked up along the way. When you have run one scan and cleaned off the infections rerun the scan again just to make sure that you have actually removed the problems and they there was nothing hiding under them. Keep rerunning the scans till the system comes up as clean.

    With Spy Bot S&D it will pick up Spy Ware Like activity so things like Windows Defender and some Internet Banking Programs may read as false positives so make sure that you look at every thing that it picks up and untick the box if the item is something that you actually use then remove the other files and rerun the scan again till it comes up with either a clean system or just the files that you need kept on the system.

    Once you have done this you can then set about creating another remote access point to your server but this time make sure that you don't use the same protocols and make sure that you keep your Home Machine clean by performing Spy Ware Scans in Safe Mode at least once a week and daily if you visit Porn Sites, Gambling Sites, and many Free Web Sites for people to use as these are quite often loaded with Spy Ware.

    Col

    +
    0 Votes
    Tig2

    Get a firewall up and running- Zone Free will stop a lot of it. They have a server edition but try it on your home machine first and see how you go. It's free so you won't lose anything.

    Also keep a copy of CCleaner handy. After your Spy and AV run, run your CCleaner. You can find it at CCleaner.com.

    Best of luck to you!