win2k machine hacked with Serv-U FTP etc

My father's Win2k machine has been hacked. Saturday he called me in a
panic, and when I got to his house I could see why. There were windows
opened all over his desktop (I will upload screenshots to my web server if
it will help), a command window starting the Serv-U FTP service and checking
ipconfig settings, a web browser opened to his router with a service started
on port 333, a shortcut to an app, and the 2000 services and computer
mngment window.

I'm not familiar enough with 2000 to know how to investigate exactly what
happened. What I'm more interested in is where to go from here. My gut
tells me to immediately backup all his important files, reformat, reinstall,
and set him up with improved security measures. I also think a call to his
cc companies are in order, as well as changing all passwords to all
accounts, websites, etc.

What were the hacker's main purpose?

Please advise me in other ways. I'm not interested in finding fault with
how he had things set up, other than to learn from his mistakes. While he's
not a computer expert, he's not a newbie either.

thank you,

wjm

JM

JM wrote:

> My father's Win2k machine has been hacked. Saturday he called me in a
> panic, and when I got to his house I could see why. There were windows
> opened all over his desktop (I will upload screenshots to my web server if
> it will help), a command window starting the Serv-U FTP service and
> checking ipconfig settings, a web browser opened to his router with a
> service started on port 333, a shortcut to an app, and the 2000 services
> and computer mngment window.
>
> I'm not familiar enough with 2000 to know how to investigate exactly what
> happened. What I'm more interested in is where to go from here. My gut
> tells me to immediately backup all his important files, reformat,
> reinstall,
> and set him up with improved security measures. I also think a call to
> his cc companies are in order, as well as changing all passwords to all
> accounts, websites, etc.
>
> What were the hacker's main purpose?
>
> Please advise me in other ways. I'm not interested in finding fault with
> how he had things set up, other than to learn from his mistakes. While
> he's not a computer expert, he's not a newbie either.
>
> thank you,
>
> wjm


Please send more specific info. What windows were opened? Did he install the
ftp server? Was the service on port 333 running on his pc or the router you
speak of? What was the shortcup to?

Imhotep

Imhotep

JM wrote:
> My father's Win2k machine has been hacked. Saturday he called me in a
> panic, and when I got to his house I could see why. There were windows
> opened all over his desktop (I will upload screenshots to my web server if
> it will help), a command window starting the Serv-U FTP service and checking
> ipconfig settings, a web browser opened to his router with a service started
> on port 333, a shortcut to an app, and the 2000 services and computer
> mngment window.
>
> I'm not familiar enough with 2000 to know how to investigate exactly what
> happened. What I'm more interested in is where to go from here. My gut
> tells me to immediately backup all his important files, reformat, reinstall,
> and set him up with improved security measures. I also think a call to his
> cc companies are in order, as well as changing all passwords to all
> accounts, websites, etc.
>
> What were the hacker's main purpose?
>
> Please advise me in other ways. I'm not interested in finding fault with
> how he had things set up, other than to learn from his mistakes. While he's
> not a computer expert, he's not a newbie either.
>
> thank you,
>
> wjm
>
>

If you're not interested in finding out what happened, then your gut
instinct is best. Backup what you need, reload, and then update the OS
at M$'s site until it is current.

NOI

noi

From: "JM" <>

| My father's Win2k machine has been hacked. Saturday he called me in a
| panic, and when I got to his house I could see why. There were windows
| opened all over his desktop (I will upload screenshots to my web server if
| it will help), a command window starting the Serv-U FTP service and checking
| ipconfig settings, a web browser opened to his router with a service started
| on port 333, a shortcut to an app, and the 2000 services and computer
| mngment window.
|
| I'm not familiar enough with 2000 to know how to investigate exactly what
| happened. What I'm more interested in is where to go from here. My gut
| tells me to immediately backup all his important files, reformat, reinstall,
| and set him up with improved security measures. I also think a call to his
| cc companies are in order, as well as changing all passwords to all
| accounts, websites, etc.
|
| What were the hacker's main purpose?
|
| Please advise me in other ways. I'm not interested in finding fault with
| how he had things set up, other than to learn from his mistakes. While he's
| not a computer expert, he's not a newbie either.
|
| thank you,
|
| wjm
|

Start with the mcAfee module in the below Multi AV Scanning Tool.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

David H. Lipman