General discussion

Locked

warez bot attack

By paulbeaver ·
I inherited this problem when the client came to me unhappy with the previous support people. I was called in to try and find why their internet usage was way up (almost 20G per month). The server was directly linked to the internet using an adsl modem to a network card in the server, the first thing that I did was to install a
gateway router with nat firewall and check the security patch settings.

I have a Microsoft NT 4 server that has been hacked and used as a warez server. Servuftp washidden in several directories (nested in c:\temp\vbe\ect\ect and c:\winnt\system32\help\ect\ect\ect).I found and removed all the instances of servuftp.

My problem is the server is unstable, when you run proxy server 2 it operates for a short wilethen fails with a dr watson error. If I start the Exchange Internet message connector service the CPU usage goes to 100% use by MSEXCIMC.exe and RPCSS.exe, if I stop the internet message connector service the RPCSS.EXE use goes up to 100%.

some interesing symptoms:

When you attempt to empty the recycling bin you get an error, DF3 in use.

A directory then appears in the recycler folder on all hard disks that has the same name as the current user in the hkey_users section of the registry.

The baseline security analyser will not run.

There is nothing suspicous in the registry RUN or RUNONCE section of the registry, and nothing unusual shows up in the task manager

I have obviously missed a stub or preloader that they used to run advertise the system or start servuftp. has aynone had any experience removing this stub?

As this is a SBS server the firm only has the one, shutting it down is not really an option.

This conversation is currently closed to new comments.

1 total post (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Taken it down

by Milstar In reply to warez bot attack

Looks like a form of hack to me, PHP or subseven type serverware. My have to take it down to unload memory resident software, remove it from registry and system. Then look up abtrusion protection software. If they changed your directories they own your computer already. Take it down boot to NT start disk, and clear system.

Back to Security Forum
1 total post (Page 1 of 1)  

Related Discussions

Related Forums