windows 2000 server being hacked.

i need to know if there is an app out there that will allow me to track all
movements of remote users who connect to my server, I got me a hacker who
has now come in to the server 3 times, and started renaming files and links.
I have no idea how he is getting in, and want to close what ever door he is
using to get in.

any tips and advice will be of great help.

plus, i need to see what shares are running on my pc? is there a way i can
check this out too? so i can close those off. including the $ipc hidden
share.

junkmail

junkmail wrote:
> i need to know if there is an app out there that will allow me to track all
> movements of remote users who connect to my server, I got me a hacker who
> has now come in to the server 3 times, and started renaming files and links.
> I have no idea how he is getting in, and want to close what ever door he is
> using to get in.
>
> any tips and advice will be of great help.
>
> plus, i need to see what shares are running on my pc? is there a way i can
> check this out too? so i can close those off. including the $ipc hidden
> share.
>
>

He/she is probably getting in through your Administrator account: you're
running a server of some sort (eg. FTP).

Make sure ALL your passwords contain unique letters AND numerals.

Rick Merrill

"junkmail" <> writes:

> i need to know if there is an app out there that will allow me to track all
> movements of remote users who connect to my server, I got me a hacker who
> has now come in to the server 3 times, and started renaming files and links.
> I have no idea how he is getting in, and want to close what ever door he is
> using to get in.
>
> any tips and advice will be of great help.
>
> plus, i need to see what shares are running on my pc? is there a way i can
> check this out too? so i can close those off. including the $ipc hidden
> share.

Do you wanna play sherlock holmes, or do you want to fix the issue?
If the latter: Unplug the machine from the net, format, and reinstall
from original media. Apply all updates from behind a firewall.
Recreate user accounts with all new passwords.

Best Regards,
--
Todd H.
http://www.toddh.net/

Todd H.

i hate to say this, but, i have done this 2 times now,

not only that, i usually change the password 1once a week. this has not
stopped him. he was back again last night. grrrr..


"Todd H." <> wrote in message
news:...
> "junkmail" <> writes:
>
> > i need to know if there is an app out there that will allow me to track
all
> > movements of remote users who connect to my server, I got me a hacker
who
> > has now come in to the server 3 times, and started renaming files and
links.
> > I have no idea how he is getting in, and want to close what ever door he
is
> > using to get in.
> >
> > any tips and advice will be of great help.
> >
> > plus, i need to see what shares are running on my pc? is there a way i
can
> > check this out too? so i can close those off. including the $ipc hidden
> > share.
>
> Do you wanna play sherlock holmes, or do you want to fix the issue?
> If the latter: Unplug the machine from the net, format, and reinstall
> from original media. Apply all updates from behind a firewall.
> Recreate user accounts with all new passwords.
>
> Best Regards,
> --
> Todd H.
> http://www.toddh.net/

junkmail

here is the steps i took so far.

1. click on 'Start' button the 'Settings' then 'Control
Panel' option.
2. double click on the 'Administrative Tools' icon - see new window.
3. click 'Computer Management' icon - see Computer Management program.
4. click on the + box next to 'Shared Folders' icon on the left.
5. click on the 'Shares' option - see list of shares - the C$, D$ and Admin$
shares are standard and should be OK.
6. double click on one of the listed shares - see the '(folder name)
Properties' dialog.
7. click on the 'Sharing Permissions' tab - see list of permitted users.

removed all shares. (was notified they will return on reboot though) i
will see if this stops him.
had alot of shares open.
"junkmail" <> wrote in message
news:GARlg.8455$ ink.net...
> i need to know if there is an app out there that will allow me to track
all
> movements of remote users who connect to my server, I got me a hacker who
> has now come in to the server 3 times, and started renaming files and
links.
> I have no idea how he is getting in, and want to close what ever door he
is
> using to get in.
>
> any tips and advice will be of great help.
>
> plus, i need to see what shares are running on my pc? is there a way i can
> check this out too? so i can close those off. including the $ipc hidden
> share.
>
>

junkmail

"junkmail" <> wrote:

> i need to know if there is an app out there that will allow me to
> track all movements of remote users who connect to my server, I got
> me a hacker who has now come in to the server 3 times, and started
> renaming files and links. I have no idea how he is getting in, and
> want to close what ever door he is using to get in.
>
> any tips and advice will be of great help.

If he's getting in, then there's no software in the world that will
help you. If he has access he can stop that software, edit its logs, or
whatever.

You need to do two things:

1. Immediately nuke the server installation and rebuild it from scratch.
God knows what's been changed. You can't trust even the simplest of
commands or most harmless appearing software now.

2. Use your router/gateway or some other "off machine" method to do your
logging and sniffing so the intruder has no opportunity to erase his
tracks.

Borked Pseudo Mailed

get a freaking router!

>

Rick Merrill

Rick Merrill wrote:
> get a freaking router!

Why? He doesn't need any routing.

Sebastian Gottschalk

Just guessing, but it sounds like a possible inside job.

Could also be a backdoor in 3rd party software.

moncho
"junkmail" <> wrote in message
news6Ylg.8641$ nk.net...
>i hate to say this, but, i have done this 2 times now,
>
> not only that, i usually change the password 1once a week. this has not
> stopped him. he was back again last night. grrrr..
>
>
> "Todd H." <> wrote in message
> news:...
>> "junkmail" <> writes:
>>
>> > i need to know if there is an app out there that will allow me to track
> all
>> > movements of remote users who connect to my server, I got me a hacker
> who
>> > has now come in to the server 3 times, and started renaming files and
> links.
>> > I have no idea how he is getting in, and want to close what ever door
>> > he
> is
>> > using to get in.
>> >
>> > any tips and advice will be of great help.
>> >
>> > plus, i need to see what shares are running on my pc? is there a way i
> can
>> > check this out too? so i can close those off. including the $ipc hidden
>> > share.
>>
>> Do you wanna play sherlock holmes, or do you want to fix the issue?
>> If the latter: Unplug the machine from the net, format, and reinstall
>> from original media. Apply all updates from behind a firewall.
>> Recreate user accounts with all new passwords.
>>
>> Best Regards,
>> --
>> Todd H.
>> http://www.toddh.net/
>
>

moncho

"junkmail" <> writes:
> here is the steps i took so far.
>
> 1. click on 'Start' button the 'Settings' then 'Control
> Panel' option.
> 2. double click on the 'Administrative Tools' icon - see new window.
> 3. click 'Computer Management' icon - see Computer Management program.
> 4. click on the + box next to 'Shared Folders' icon on the left.
> 5. click on the 'Shares' option - see list of shares - the C$, D$ and Admin$
> shares are standard and should be OK.
> 6. double click on one of the listed shares - see the '(folder name)
> Properties' dialog.
> 7. click on the 'Sharing Permissions' tab - see list of permitted users.
> removed all shares. (was notified they will return on reboot though) i
> will see if this stops him.
> had alot of shares open.

Got any budget money? Get an incident management professional in
there to find out what the hell is going on.

What's the network architecture, how many folks have LAN access to get
to the ports on the win box? There's a lot of 0day out there that was
just recently fixed, and perhaps more that hasn't.

You may want to look into implementing a network based intrusion
detection system (nIDS) like snort (snort.org) at your network border
that might give you a clue as to where this may be coming from. If
the threat is from inside the firewall, some host based IDS may be in
order, but if the individual is quickly rooting your server, tha thost
based IDS will be disabled in short order.

Have you reviewed the logs on the server to try to construct a
timeline? What are the symptoms that have led you to the "hacked"
conclusion.

SEC504: Hacker Techniques, Exploits & Incident Handling (GCIH)
http://sans.org/
might be a timely course as well.

--
Todd H.
http://www.toddh.net/

Todd H.