|
A Mailicious looking hack
Hi
I wonder if anyone can shed some light on the following: A server kept crashing, the hardware is pretty old so it was obvoiusly the 1st thing that was looked at. The box is running Windows NT 4. It turned out that the hardware is fine. but we found directories containing encrypted files as well as suspicious files in the Windows directories. We can not delete these directories. It looks to me as if someone has hacked into the box and is using it as a gateway, probably for something illegal. Has anyone encountered this problem and if so, what can I do to fix it. Regards Steve |
Re: A Mailicious looking hack
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 In article <Xns9423ACCE8375stevejufrmsa1uniforu@196.25.240.15 8>, on 29 Oct 2003 15:01:37 GMT, Steve Jankelowitz <stevej@ufrmsa1.uniforum.org.za> wrote: | Hi | | I wonder if anyone can shed some light on the following: | | A server kept crashing, the hardware is pretty old so it was obvoiusly the | 1st thing that was looked at. The box is running Windows NT 4. It turned | out that the hardware is fine. but we found directories containing | encrypted files as well as suspicious files in the Windows directories. | We can not delete these directories. It looks to me as if someone has | hacked into the box and is using it as a gateway, probably for something | illegal. | | Has anyone encountered this problem and if so, what can I do to fix it. Your best option at this point is a clean install from known good media (your original windows NT CD). While doing so make sure you are not connected to the internet. Before connecting to the internet install firewall and virus checkers also from known good media (a good idea might be to get someone who has a secure system to download them and burn them to CD for you, along with all updates, particularly for the virus checker). Then connect to the net and install all NT patches. HTH <davidp /> -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 - not licensed for commercial use: www.pgp.com Comment: Get key from pgpkeys.mit.edu:11370 iQA/AwUBP5/r33xp7q1nhFwUEQIDLACg4xsMOnH8DX4w7whsXkcPOh/YLdcAnRIM u01mQOD3zN6n4d8pJTXwLoeA =ultA -----END PGP SIGNATURE----- <davidp /> -- David Postill |
Re: A Mailicious looking hack
On Wed, 29 Oct 2003 17:56:18 GMT, David Postill <david@postill.org.uk>
wrote: >Your best option at this point is a clean install from known good media >(your original windows NT CD). While doing so make sure you are not connected >to the internet. > >Before connecting to the internet install firewall and virus checkers also >from known good media (a good idea might be to get someone who has a secure >system to download them and burn them to CD for you, along with all updates, >particularly for the virus checker). Or get a NAT router, and install the updates on your computer safely and quickly, while connected. A NAT router, software firewall, and properly updated OS / applications are all part of a layered defense. None of them is unnecessary, and all are affordable. Chuck I hate spam - PLEASE get rid of the spam before emailing me! Paranoia comes from experience - and is not necessarily a bad thing. |
Re: A Mailicious looking hack
Can we get a list of the file names and directories?
Jim Steve Jankelowitz The commander of all things worth commanding said on 10/29/2003 10:01 AM: > Hi > > I wonder if anyone can shed some light on the following: > > A server kept crashing, the hardware is pretty old so it was obvoiusly the > 1st thing that was looked at. The box is running Windows NT 4. It turned > out that the hardware is fine. but we found directories containing > encrypted files as well as suspicious files in the Windows directories. > We can not delete these directories. It looks to me as if someone has > hacked into the box and is using it as a gateway, probably for something > illegal. > > Has anyone encountered this problem and if so, what can I do to fix it. > > Regards > Steve |
Re: A Mailicious looking hack
In article <Xns9423ACCE8375stevejufrmsa1uniforu@196.25.240.15 8>,
stevej@ufrmsa1.uniforum.org.za says... > Hi > > I wonder if anyone can shed some light on the following: > > A server kept crashing, the hardware is pretty old so it was obvoiusly the > 1st thing that was looked at. The box is running Windows NT 4. It turned > out that the hardware is fine. but we found directories containing > encrypted files as well as suspicious files in the Windows directories. > We can not delete these directories. It looks to me as if someone has > hacked into the box and is using it as a gateway, probably for something > illegal. > > Has anyone encountered this problem and if so, what can I do to fix it. > > Regards > Steve > hire a better admin. -- Colonel Flagg http://www.internetwarzone.org/ Privacy at a click: http://www.cotse.net Q: How many Bill Gates does it take to change a lightbulb? A: None, he just defines Darkness? as the new industry standard..." "...I see stupid people." |
Re: A Mailicious looking hack
Let me guess, your running IIS 4.0, woopie, do a complete new install,
update to SP6, fire your current admin, if its you, do us a favor and kill yourself, the damn nt 4 vulns are all years old. get a better server solution Bottle |
Re: A Mailicious looking hack
On Thu, 30 Oct 2003 06:37:22 GMT, Bottle <crazyregulator@yahoo.com> wrote:
>Let me guess, your running IIS 4.0, woopie, do a complete new install, >update to SP6, fire your current admin, if its you, do us a favor and >kill yourself, the damn nt 4 vulns are all years old. get a better server >solution > >Bottle Maybe you should reply to the OP, not the responders? |
Re: A Mailicious looking hack
Steve Jankelowitz wrote:
> Hi > > I wonder if anyone can shed some light on the following: > > A server kept crashing, the hardware is pretty old so it was obvoiusly the > 1st thing that was looked at. The box is running Windows NT 4. It turned > out that the hardware is fine. but we found directories containing > encrypted files as well as suspicious files in the Windows directories. > We can not delete these directories. It looks to me as if someone has > hacked into the box and is using it as a gateway, probably for something > illegal. > > Has anyone encountered this problem and if so, what can I do to fix it. > > Regards > Steve get ahold of a recent copy of linux or freebsd installation disk, place it in the cdrom drive & reboot -- microsoft windows is only secure under these conditions 1. not allowed to connect to the internet 2. not letting anyone have access to the cdrom or floppy drive when unattended |
Re: A Mailicious looking hack
Folder names are COM1, LPT1 etc can not get the file names !!!
Steve "Jim" <jimbone@hotmail.com> wrote in message news:FHVnb.82926$W77.14322@bignews6.bellsouth.net. .. > Can we get a list of the file names and directories? > > Jim > > Steve Jankelowitz The commander of all things worth commanding said on > 10/29/2003 10:01 AM: > > Hi > > > > I wonder if anyone can shed some light on the following: > > > > A server kept crashing, the hardware is pretty old so it was obvoiusly the > > 1st thing that was looked at. The box is running Windows NT 4. It turned > > out that the hardware is fine. but we found directories containing > > encrypted files as well as suspicious files in the Windows directories. > > We can not delete these directories. It looks to me as if someone has > > hacked into the box and is using it as a gateway, probably for something > > illegal. > > > > Has anyone encountered this problem and if so, what can I do to fix it. > > > > Regards > > Steve > |
Re: A Mailicious looking hack
In article <bo526k$1pp$1@ctb-nnrp2.saix.net>,
stevej@ufrmsa1.uniforum.org.za says... > Folder names are COM1, LPT1 etc can not get the file names !!! > The system was probably compromised, you should rebuild it from scratch. Anyway, there is info on removing these folders here: http://support.microsoft.com/default.aspx? scid=http://support.microsoft.com:80/support/kb/articles/Q120/7/16.ASP&N oWebContent=1 /steve -- You simply cannot get more server side control of your e-mail without running your own mail server and knowing how to program. http://www.cotse.net/privacyservice.html |
| All times are GMT. The time now is 09:39 PM. |
Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.