Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows server 2003 hacked/compromised


  • Please log in to reply
1 reply to this topic

#1 jastarafie

jastarafie

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:16 PM

Posted 16 October 2012 - 08:09 AM

Hello,

Last week one of our windows 2003 servers got hacked trough (i think) RDP that was accesible directly from the outside, (don't ask).
Steps I took to clean this mess:
  • I immediatly blocked RDP on the firewall
  • disabled the local users that the hackers created
  • forced a password reset for all users
I thought it was over with these actions but if I did a netstat a i saw a lot of open smtp connections.
And when i sniffed with wireshark i saw that it was trying to send spam every x seconds.
So I blocked the smtp port on the firewall and:
  • ran a scan with malwarebytes -> nothing much found
  • scanned with rootkitremover -> nothing found
  • scanned with TDSSKiller -> nothing found
  • scanned with gmer -> 2 files found, one hidden process and one sss3.exe process
  • the only thing i could was to kill the hidden process, the sss3.exe file I deleted manually.

As for now the spam has stopped, but i'm sure if the server reboots, it will begin again.
What can i do to clean this server completely? I know a total reinstall would be the best but isn't possible for the moment.
Hijackthis log: http://pastebin.com/kv8baGB9

Anyone with some advice on this to scan/find and delete the infected process?

Thanks in advance

BC AdBot (Login to Remove)

 


#2 easyrider2

easyrider2

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:16 PM

Posted 21 October 2012 - 11:17 AM

Hi,

it may be a good idea if you posted in the 'Am I infected?' Forum (http://www.bleepingcomputer.com/forums/forum103.html).

I am sure that they will take a good care of you there.

Regards.

Edited by easyrider2, 21 October 2012 - 11:17 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users