General discussion

Locked

Server Compromised

By Frank K ·
I have an NT4 server which I'm running Proxy on and I noticed a Remote Access administration program had been loaded on it (hacked). I quickly removed it and then the next day I noticed a different one was loaded on my machine. I removed that as well but now I receive an error every once in a while which knocks out my winsock, thus messing with my email. I can't find the program on my machine nor any associated services. Any ideas? Here's the message: The library file "C:\Program Files\Serv-U\ServUPerfCount.dll"
specified for the "Serv-U-Counters" service could not be opened. Performance data for this service will not be available. Status code is data DWORD 0.

This conversation is currently closed to new comments.

11 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Server Compromised

by erikdr In reply to Server Compromised

Generally spoken, repairing a 'manually' compromised server is a **** of a job - quite different from recovering from a virus/work attack. With such a structured attack a structured repair (AV fixes) is possible, with a manual attack you'll have to fiddle out all yourself. And even if you fix this Winsock problem, the hacker could have done far more damage which you've not seen yet...

So, yes, it sounds unpopular and you will face other problems, but: back to the backup which you no doubt kept in perfectly uptodate state :-(

<Erik> - The Netherlands

Collapse -

Server Compromised

by Frank K In reply to Server Compromised

I've heard that term backup before...

Collapse -

Server Compromised

by Joseph Moore In reply to Server Compromised

Oh, they installed Serv-U as a Windows Service! You should go into Services and look for something that should not be there.
Then disable that service.
If you have the Windows Resource Kit, you can run SC.EXE to remove the Service (I think it is SC.EXE that can do that!)
And next, GET A FIREWALL!

Collapse -

Server Compromised

by Frank K In reply to Server Compromised

I'm behind a firewall now.

Collapse -

Server Compromised

by kcrabb In reply to Server Compromised

We have had several run-ins with Serv-U. Removing it from the Services is the first step. Sometimes, if the hacker is not really good, you can go to add remove programs and remove it there.
You also MUST check the registry:
MyComputer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and; My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Make sure that the underlying BAT file (or what ever the hacker used) is not getting loaded again. I had a system that I thought was clean but left this out. Each time I would reboot, it would redo all of the programs.
Finally, check for additional users on this system. On a server this can be harder, but match every account to a real person that is there.
Hope this helps

Collapse -

Server Compromised

by Frank K In reply to Server Compromised

Can't find any services which may be doing it. Something is definitely triggering it though.

Collapse -

Server Compromised

by Curacao_Dejavu In reply to Server Compromised

In the registry search for serv-u and ServUPerfCount.dll.
Update the antivirus program and run a full scan.
go to usermanager , policies and select "access this computer from the network" and make a group from you domain so only they may access the server.
When usermanager, policies , select also that the groups and may loggin locally to the server.
go to www.grc.com and scan the server and the clients to see what the outside world sees when they scan your server. Everything should be stealth if not your server is misconfigured.
Consider upgrading the server to w2k since per januarry MS support on nt will be stopped.
And finally also remember that the attack could have been started from the inside.

Leopold

Collapse -

Server Compromised

by Frank K In reply to Server Compromised

What was the name of the service running? Not in the Run or RunOnce part of registry.

Collapse -

Server Compromised

by punderwood In reply to Server Compromised

If your server has been compromised, the only real way to be 100% sure of bringing back with no errors is to format and rebuild. Do not use the backup, as this will probably have the infected / compromised files. My experience has shown most hackersupload to the server and allow backup to be taken before it is compromised. In addition they will have loaded a backdoor program, something like a Netcat listener, so they have cmd.exe access every time. This file is hidden so it not seen as a service ao app running. Try searching for nc.exe?. Hope that this helps. Unfortuantely there is no short cut way or restoring a compromised server.

Collapse -

Server Compromised

by Frank K In reply to Server Compromised

Found two instances but it wouldn't let me delete. The server is now behind a firewall. Winsock proxy is not affected anymore but now web proxy goes down whenever trigger is activated. I can't find the trigger though. www.grc says I'm very tight (now).

Back to Security Forum
11 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums