Results 1 to 6 of 6
  1. #1
    Join Date
    Mar 2004
    Posts
    2

    2000 server hacked

    Like that is news. I hope someone will take some pity on me and reply as I"m really a server administrator, but I've been asked to look after a small 2000 web server. When i checked it this week, someone got in and scheduled an event. It was made created by netsched. What it did at reboot is try and delete C and D shares, and then the event was deleted. The server isn't running on C: drive, it's letter assignment is much higher, so I don't think anything was affected, all still seems to 'serve' ok. But, when i try and run task manager, it loads, but i can't access it. When i move my mouse to the system tray, it disappears. Can anyone comment, or point me to a faq for better securing this box? tia. Bit.

  2. #2
    Join Date
    Jun 2003
    Location
    UK
    Posts
    6,601
    (Not a Windows Admin) However after any break in you want to clean install and restore from know good clean backups

    Rus
    Russ Foster - Industry Curmudgeon

  3. #3
    Join Date
    Mar 2004
    Posts
    2
    With microsoft servers wouldn't that be a daily chore unless i figure out how to stop the same thing from happening first?

  4. #4
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,290
    windows updates ur friend
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  5. #5
    Join Date
    May 2003
    Location
    Philadelphia
    Posts
    968
    Bit,

    Head on over to sysinternals.com and pick up a process explorer, TCPView, Regmon, CPUmon, Handle, fport, listdlls and DiskMon. These tools will help you find out exactly whats going on with your box. I'm not sure exactly whats going on but there have been a number of worms and bots released lately, it may well be one of those.
    http://www.eBoundary.com - Let us help you expand your eBoundaries!
    Fast, Secure and reliable FreeBSD shared, reseller and dedicated hosting.
    FREE Peace of mind with every account!

  6. #6
    Join Date
    Jan 2002
    Location
    Hudson, Wisconsin
    Posts
    560
    More than likely you are infected with the Blaster virus. It shuts down your task manager, regedit, and your anti virus software. Does the machine reboot when you attempt to connect to the internet?

    Some good reading:

    http://www.microsoft.com/security/incident/blast.asp

    http://securityresponse.symantec.com...ster.worm.html

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •