Last week one of our windows 2003 servers got hacked trough (i think) RDP that was accesible directly from the outside, (don't ask).
Steps I took to clean this mess:
- I immediatly blocked RDP on the firewall
- disabled the local users that the hackers created
- forced a password reset for all users
And when i sniffed with wireshark i saw that it was trying to send spam every x seconds.
So I blocked the smtp port on the firewall and:
- ran a scan with malwarebytes -> nothing much found
- scanned with rootkitremover -> nothing found
- scanned with TDSSKiller -> nothing found
- scanned with gmer -> 2 files found, one hidden process and one sss3.exe process
- the only thing i could was to kill the hidden process, the sss3.exe file I deleted manually.
As for now the spam has stopped, but i'm sure if the server reboots, it will begin again.
What can i do to clean this server completely? I know a total reinstall would be the best but isn't possible for the moment.
Hijackthis log: http://pastebin.com/kv8baGB9
Anyone with some advice on this to scan/find and delete the infected process?
Thanks in advance