A Mailicious looking hack

Discussion in 'Computer Security' started by Steve Jankelowitz, Oct 29, 2003.

  1. Hi

    I wonder if anyone can shed some light on the following:

    A server kept crashing, the hardware is pretty old so it was obvoiusly the
    1st thing that was looked at. The box is running Windows NT 4. It turned
    out that the hardware is fine. but we found directories containing
    encrypted files as well as suspicious files in the Windows directories.
    We can not delete these directories. It looks to me as if someone has
    hacked into the box and is using it as a gateway, probably for something
    illegal.

    Has anyone encountered this problem and if so, what can I do to fix it.

    Regards
    Steve
     
    Steve Jankelowitz, Oct 29, 2003
    #1
    1. Advertising

  2. -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    In article <Xns9423ACCE8375stevejufrmsa1uniforu@196.25.240.158>, on 29 Oct 2003 15:01:37 GMT, Steve Jankelowitz
    <> wrote:

    | Hi
    |
    | I wonder if anyone can shed some light on the following:
    |
    | A server kept crashing, the hardware is pretty old so it was obvoiusly the
    | 1st thing that was looked at. The box is running Windows NT 4. It turned
    | out that the hardware is fine. but we found directories containing
    | encrypted files as well as suspicious files in the Windows directories.
    | We can not delete these directories. It looks to me as if someone has
    | hacked into the box and is using it as a gateway, probably for something
    | illegal.
    |
    | Has anyone encountered this problem and if so, what can I do to fix it.

    Your best option at this point is a clean install from known good media
    (your original windows NT CD). While doing so make sure you are not connected
    to the internet.

    Before connecting to the internet install firewall and virus checkers also
    from known good media (a good idea might be to get someone who has a secure
    system to download them and burn them to CD for you, along with all updates,
    particularly for the virus checker).

    Then connect to the net and install all NT patches.

    HTH

    <davidp />

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0.3 - not licensed for commercial use: www.pgp.com
    Comment: Get key from pgpkeys.mit.edu:11370

    iQA/AwUBP5/r33xp7q1nhFwUEQIDLACg4xsMOnH8DX4w7whsXkcPOh/YLdcAnRIM
    u01mQOD3zN6n4d8pJTXwLoeA
    =ultA
    -----END PGP SIGNATURE-----

    <davidp />

    --
    David Postill
     
    David Postill, Oct 29, 2003
    #2
    1. Advertising

  3. Steve Jankelowitz

    Chuck Guest

    On Wed, 29 Oct 2003 17:56:18 GMT, David Postill <>
    wrote:

    >Your best option at this point is a clean install from known good media
    >(your original windows NT CD). While doing so make sure you are not connected
    >to the internet.
    >
    >Before connecting to the internet install firewall and virus checkers also
    >from known good media (a good idea might be to get someone who has a secure
    >system to download them and burn them to CD for you, along with all updates,
    >particularly for the virus checker).


    Or get a NAT router, and install the updates on your computer safely
    and quickly, while connected.

    A NAT router, software firewall, and properly updated OS /
    applications are all part of a layered defense. None of them is
    unnecessary, and all are affordable.

    Chuck
    I hate spam - PLEASE get rid of the spam before emailing me!
    Paranoia comes from experience - and is not necessarily a bad thing.
     
    Chuck, Oct 29, 2003
    #3
  4. Steve Jankelowitz

    Jim Guest

    Can we get a list of the file names and directories?

    Jim

    Steve Jankelowitz The commander of all things worth commanding said on
    10/29/2003 10:01 AM:
    > Hi
    >
    > I wonder if anyone can shed some light on the following:
    >
    > A server kept crashing, the hardware is pretty old so it was obvoiusly the
    > 1st thing that was looked at. The box is running Windows NT 4. It turned
    > out that the hardware is fine. but we found directories containing
    > encrypted files as well as suspicious files in the Windows directories.
    > We can not delete these directories. It looks to me as if someone has
    > hacked into the box and is using it as a gateway, probably for something
    > illegal.
    >
    > Has anyone encountered this problem and if so, what can I do to fix it.
    >
    > Regards
    > Steve
     
    Jim, Oct 29, 2003
    #4
  5. In article <Xns9423ACCE8375stevejufrmsa1uniforu@196.25.240.158>,
    says...
    > Hi
    >
    > I wonder if anyone can shed some light on the following:
    >
    > A server kept crashing, the hardware is pretty old so it was obvoiusly the
    > 1st thing that was looked at. The box is running Windows NT 4. It turned
    > out that the hardware is fine. but we found directories containing
    > encrypted files as well as suspicious files in the Windows directories.
    > We can not delete these directories. It looks to me as if someone has
    > hacked into the box and is using it as a gateway, probably for something
    > illegal.
    >
    > Has anyone encountered this problem and if so, what can I do to fix it.
    >
    > Regards
    > Steve
    >



    hire a better admin.



    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
     
    Colonel Flagg, Oct 29, 2003
    #5
  6. Steve Jankelowitz

    Bottle Guest

    Let me guess, your running IIS 4.0, woopie, do a complete new install,
    update to SP6, fire your current admin, if its you, do us a favor and
    kill yourself, the damn nt 4 vulns are all years old. get a better server
    solution

    Bottle
     
    Bottle, Oct 30, 2003
    #6
  7. Steve Jankelowitz

    Mal Guest

    On Thu, 30 Oct 2003 06:37:22 GMT, Bottle <> wrote:

    >Let me guess, your running IIS 4.0, woopie, do a complete new install,
    >update to SP6, fire your current admin, if its you, do us a favor and
    >kill yourself, the damn nt 4 vulns are all years old. get a better server
    >solution
    >
    >Bottle


    Maybe you should reply to the OP, not the responders?
     
    Mal, Oct 30, 2003
    #7
  8. Steve Jankelowitz wrote:

    > Hi
    >
    > I wonder if anyone can shed some light on the following:
    >
    > A server kept crashing, the hardware is pretty old so it was obvoiusly the
    > 1st thing that was looked at. The box is running Windows NT 4. It turned
    > out that the hardware is fine. but we found directories containing
    > encrypted files as well as suspicious files in the Windows directories.
    > We can not delete these directories. It looks to me as if someone has
    > hacked into the box and is using it as a gateway, probably for something
    > illegal.
    >
    > Has anyone encountered this problem and if so, what can I do to fix it.
    >
    > Regards
    > Steve


    get ahold of a recent copy of linux or freebsd installation disk, place it
    in the cdrom drive & reboot


    --
    microsoft windows is only secure under these conditions
    1. not allowed to connect to the internet
    2. not letting anyone have access to the cdrom or floppy
    drive when unattended
     
    the man who knew too much, Oct 31, 2003
    #8
  9. Steve Jankelowitz

    Steve Guest

    Folder names are COM1, LPT1 etc can not get the file names !!!

    Steve

    "Jim" <> wrote in message
    news:FHVnb.82926$...
    > Can we get a list of the file names and directories?
    >
    > Jim
    >
    > Steve Jankelowitz The commander of all things worth commanding said on
    > 10/29/2003 10:01 AM:
    > > Hi
    > >
    > > I wonder if anyone can shed some light on the following:
    > >
    > > A server kept crashing, the hardware is pretty old so it was obvoiusly

    the
    > > 1st thing that was looked at. The box is running Windows NT 4. It turned
    > > out that the hardware is fine. but we found directories containing
    > > encrypted files as well as suspicious files in the Windows directories.
    > > We can not delete these directories. It looks to me as if someone has
    > > hacked into the box and is using it as a gateway, probably for something
    > > illegal.
    > >
    > > Has anyone encountered this problem and if so, what can I do to fix it.
    > >
    > > Regards
    > > Steve

    >
     
    Steve, Nov 3, 2003
    #9
  10. In article <bo526k$1pp$>,
    says...
    > Folder names are COM1, LPT1 etc can not get the file names !!!
    >


    The system was probably compromised, you should rebuild it from scratch.
    Anyway, there is info on removing these folders here:

    http://support.microsoft.com/default.aspx?
    scid=http://support.microsoft.com:80/support/kb/articles/Q120/7/16.ASP&N
    oWebContent=1

    /steve
    --
    You simply cannot get more server side control of
    your e-mail without running your own mail server and
    knowing how to program.
    http://www.cotse.net/privacyservice.html
     
    Stephen K. Gielda, Nov 3, 2003
    #10
  11. Steve Jankelowitz

    Steve Guest

    Thanks so much for the help, it is really appreciated

    Steve

    "Stephen K. Gielda" <> wrote in message
    news:...
    > In article <bo526k$1pp$>,
    > says...
    > > Folder names are COM1, LPT1 etc can not get the file names !!!
    > >

    >
    > The system was probably compromised, you should rebuild it from scratch.
    > Anyway, there is info on removing these folders here:
    >
    > http://support.microsoft.com/default.aspx?
    > scid=http://support.microsoft.com:80/support/kb/articles/Q120/7/16.ASP&N
    > oWebContent=1
    >
    > /steve
    > --
    > You simply cannot get more server side control of
    > your e-mail without running your own mail server and
    > knowing how to program.
    > http://www.cotse.net/privacyservice.html
     
    Steve, Nov 4, 2003
    #11
  12. Steve Jankelowitz

    ssshades2 Guest

    In article <>, steve@No-Spam-
    packetderm.com spake thus...
    > The system was probably compromised, you should rebuild it from scratch.
    > Anyway, there is info on removing these folders here:
    >
    > http://support.microsoft.com/default.aspx?
    > scid=http://support.microsoft.com:80/support/kb/articles/Q120/7/16.ASP&N
    > oWebContent=1
    >
    > /steve
    >


    Any chance of running that through tinyurl.com first? :)

    http://tinyurl.com/j8s0


    --
    ..:~*^*~:.:~*^*:..:~*^*~:.:~*^*~:.:~*^*~:.

    "We're in the pipe... 5 by 5..."

    shades2 (Perth, WA)
    http://www.iinet.net.au/~shades2

    PGP Public Keys:
    http://members.iinet.net.au/~shades2/pgpkey.html
     
    ssshades2, Nov 9, 2003
    #12
  13. Steve Jankelowitz

    Chuck Guest

    On Sun, 9 Nov 2003 08:46:33 +0800, ssshades2
    <ssshades2@/^nospam|^iiiinet/.net.au> wrote:

    >In article <>, steve@No-Spam-
    >packetderm.com spake thus...
    >> The system was probably compromised, you should rebuild it from scratch.
    >> Anyway, there is info on removing these folders here:
    >>
    >> http://support.microsoft.com/default.aspx?
    >> scid=http://support.microsoft.com:80/support/kb/articles/Q120/7/16.ASP&N
    >> oWebContent=1
    >>
    >> /steve
    >>

    >
    >Any chance of running that through tinyurl.com first? :)
    >
    >http://tinyurl.com/j8s0


    How does anybody concerned with computer security trust TinyURL or any
    other redirector? How do you know what website you're going to? :(

    Chuck
    I hate spam - PLEASE get rid of the spam before emailing me!
    Paranoia comes from experience - and is not necessarily a bad thing.
     
    Chuck, Nov 9, 2003
    #13
  14. Steve Jankelowitz

    ssshades2 Guest

    In article <>,
    spake thus...
    > On Sun, 9 Nov 2003 08:46:33 +0800, ssshades2
    > <ssshades2@/^nospam|^iiiinet/.net.au> wrote:
    >
    > >In article <>, steve@No-Spam-
    > >packetderm.com spake thus...
    > >> The system was probably compromised, you should rebuild it from scratch.
    > >> Anyway, there is info on removing these folders here:
    > >>
    > >> http://support.microsoft.com/default.aspx?
    > >> scid=http://support.microsoft.com:80/support/kb/articles/Q120/7/16.ASP&N
    > >> oWebContent=1
    > >>
    > >> /steve
    > >>

    > >
    > >Any chance of running that through tinyurl.com first? :)
    > >
    > >http://tinyurl.com/j8s0

    >
    > How does anybody concerned with computer security trust TinyURL or any
    > other redirector? How do you know what website you're going to? :(
    >
    > Chuck
    > I hate spam - PLEASE get rid of the spam before emailing me!
    > Paranoia comes from experience - and is not necessarily a bad thing.



    I'm willing to give away the fact I'm referring to a Microsoft support
    document. :)

    Yes you're right if it's some sekret link accessible from the Internet it
    might be a bad idea, but what's an unprotected link doing on the net in the
    first place?

    --
    ..:~*^*~:.:~*^*:..:~*^*~:.:~*^*~:.:~*^*~:.

    "We're in the pipe... 5 by 5..."

    shades2 (Perth, WA)
    http://www.iinet.net.au/~shades2

    PGP Public Keys:
    http://members.iinet.net.au/~shades2/pgpkey.html
     
    ssshades2, Nov 13, 2003
    #14
  15. Steve Jankelowitz

    ssshades2 Guest

    In article <>,
    spake thus...
    > On Sun, 9 Nov 2003 08:46:33 +0800, ssshades2
    > <ssshades2@/^nospam|^iiiinet/.net.au> wrote:
    >
    > >In article <>, steve@No-Spam-
    > >packetderm.com spake thus...
    > >> The system was probably compromised, you should rebuild it from scratch.
    > >> Anyway, there is info on removing these folders here:
    > >>
    > >> http://support.microsoft.com/default.aspx?
    > >> scid=http://support.microsoft.com:80/support/kb/articles/Q120/7/16.ASP&N
    > >> oWebContent=1
    > >>
    > >> /steve
    > >>

    > >
    > >Any chance of running that through tinyurl.com first? :)
    > >
    > >http://tinyurl.com/j8s0

    >
    > How does anybody concerned with computer security trust TinyURL or any
    > other redirector? How do you know what website you're going to? :(


    Don't browse with administrator or root priviledge?

    > Chuck
    > I hate spam - PLEASE get rid of the spam before emailing me!
    > Paranoia comes from experience - and is not necessarily a bad thing.


    --
    ..:~*^*~:.:~*^*:..:~*^*~:.:~*^*~:.:~*^*~:.

    "We're in the pipe... 5 by 5..."

    shades2 (Perth, WA)
    http://www.iinet.net.au/~shades2

    PGP Public Keys:
    http://members.iinet.net.au/~shades2/pgpkey.html
     
    ssshades2, Nov 13, 2003
    #15
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. R Siffredi

    Call Manager Platform Reg Hack

    R Siffredi, Mar 14, 2005, in forum: Cisco
    Replies:
    6
    Views:
    3,768
    Jonathan
    Apr 13, 2005
  2. R Siffredi

    Call Manager Reg Hack

    R Siffredi, Apr 4, 2005, in forum: Cisco
    Replies:
    0
    Views:
    601
    R Siffredi
    Apr 4, 2005
  3. =?Utf-8?B?TG9vcGJhY2s=?=

    filthy old hack

    =?Utf-8?B?TG9vcGJhY2s=?=, Mar 22, 2006, in forum: MCSE
    Replies:
    20
    Views:
    1,075
    Bigus Di┬ękus
    Mar 23, 2006
  4. Brian

    XP Home to XP Pro hack -- anyone tried this?

    Brian, Jun 11, 2005, in forum: Computer Support
    Replies:
    10
    Views:
    7,489
    Shenan Stanley
    Jun 14, 2005
  5. D.Corn
    Replies:
    0
    Views:
    416
    D.Corn
    Oct 1, 2005
Loading...

Share This Page