General discussion
Thread display: Collapse - |
All Comments
Start or search
Create a new discussion
If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.
warez bot attack
gateway router with nat firewall and check the security patch settings.
I have a Microsoft NT 4 server that has been hacked and used as a warez server. Servuftp washidden in several directories (nested in c:\temp\vbe\ect\ect and c:\winnt\system32\help\ect\ect\ect).I found and removed all the instances of servuftp.
My problem is the server is unstable, when you run proxy server 2 it operates for a short wilethen fails with a dr watson error. If I start the Exchange Internet message connector service the CPU usage goes to 100% use by MSEXCIMC.exe and RPCSS.exe, if I stop the internet message connector service the RPCSS.EXE use goes up to 100%.
some interesing symptoms:
When you attempt to empty the recycling bin you get an error, DF3 in use.
A directory then appears in the recycler folder on all hard disks that has the same name as the current user in the hkey_users section of the registry.
The baseline security analyser will not run.
There is nothing suspicous in the registry RUN or RUNONCE section of the registry, and nothing unusual shows up in the task manager
I have obviously missed a stub or preloader that they used to run advertise the system or start servuftp. has aynone had any experience removing this stub?
As this is a SBS server the firm only has the one, shutting it down is not really an option.