PCFormat Forum Archive

Help me asseblief,

Got a call this morning from MWeb to say that our server has been hacked and is being used for phishing etc. They've gotten through the firewall and NOD, when I logged on after seeing this, I noticed a bunch of suspect services running that weren't there before and a 216Mb "williams poker" entry in the add / delete programmes, but the uninstall file is suspect.

Busy running a full scan with NOD, but what should I do to eradicate this system, this is a bit beyond what I've done before but I'm at a loss.

We have a fixed IP if that's any help.

Any software you suggest to clear this?

Thanks,
J

Find the application and remove it manually.

As for the services - google them to see if they are actual services. Symantec's site generally has very good removal tools if a virus or suspect code is involved. You may just find that some person installed a poker program without permission (they do stupid things on servers). Also check your ports and see how they are getting in. The guys who work with networks will be able to tell you which tools to use to find this out.

Otherwise - good luck. Glad I am not you.

Take out LAN cable,Shut down, reboot in safe mode, delete software. If you can't fix it reinstall. Backup data to online storage first tho.

JollyJamma wrote:Take out LAN cable,Shut down, reboot in safe mode, delete software. If you can't fix it reinstall. Backup data to online storage first tho.

Thanks for the help guys, I shut the router down, ran a full anti-rootkit, NOD antivirus / anti-spyware, bot search, all turned up empty? Did find bulk mailer (with no uninstall), phpnuke, poker bots and similar nasties. Have taken off what I can and have changed all the passwords. Mweb have shut down our smtp for now, allowing regular web use.

After chatting with the guy, seems we had a vulnerable STTP port on the router / IP even though our website is hosted externally, probably gained access and cracked the password (which weren't any great shakes to start with).

Now trying to eliminate any and all traces of any malware installed.

What a pain

Everyone seems to be getting hacked now.

Word of advice. Implement strict and complicated security measures and document it all.

Passwords should be 50 characters long, encryption of the hard drive, SSL, certificates, etc. It's a biatch but it's not hard or expensive to implement and can save you a ton of trouble.

Thanks to all for the advice. These guys have totally borked things, thought we eradicated most of the problem last week, came in on Monday and server was stuck in a loop because they nuked active directory. Booted in Directory Services repair mode and reinstated the last system state backup and wham, endless reboot loop because of a Winlogon error, can only assume they associated a process / service with Winlogon.exe that caused hassles, so the end result is that we're sitting re-installing SBS and setting up the domain from scratch, what a pain