Hacked

  • Thread starter Thread starter SuperSlueth
  • Start date Start date
S

SuperSlueth

Guest
I'm running exchange 2003 on server 2003 with all the latest patches and
fixes applied. I have the latest version of norton corperate antivirus with
all the updates.
I've done a full scan and the server is clean.
Yet every 2 or 3 days I see that a new user has been added "hello5" and
programs have been installed.
I can delete the programs and the user I've disabled remote desktop and
changed the admin password, but still this person still gets to the server.
does anyone have any idea how to find out where he comes in from and how to
block it
 
RE: Hacked

Record the modified and created dates on the installed files and their
containing folders. This will give you some clue as to the time window you
should search in the Security log using Event Viewer - should give you IP of
computer originating any login request.

What is your network topology?
Anti-virus software won't help.
Do you have hardware firewall between server and the wicked outside world?
If so, and it is configured correctly, this is most likely an inside job.
--
Newell White


"SuperSlueth" wrote:

> I'm running exchange 2003 on server 2003 with all the latest patches and
> fixes applied. I have the latest version of norton corperate antivirus with
> all the updates.
> I've done a full scan and the server is clean.
> Yet every 2 or 3 days I see that a new user has been added "hello5" and
> programs have been installed.
> I can delete the programs and the user I've disabled remote desktop and
> changed the admin password, but still this person still gets to the server.
> does anyone have any idea how to find out where he comes in from and how to
> block it
 
Re: Hacked

Not always does someone hack using an exploit! Sometimes they crack the
passwords etc... You have to consider every and any point of intrusion

--

http://www.goldwatches.com/
http://www.jewelerslounge.com/
"Newell White" <NewellWhite@discussions.microsoft.com> wrote in message
news:D35907B2-F92A-4CBA-AF04-D3FC556D723E@microsoft.com...
> Record the modified and created dates on the installed files and their
> containing folders. This will give you some clue as to the time window you
> should search in the Security log using Event Viewer - should give you IP
> of
> computer originating any login request.
>
> What is your network topology?
> Anti-virus software won't help.
> Do you have hardware firewall between server and the wicked outside world?
> If so, and it is configured correctly, this is most likely an inside job.
> --
> Newell White
>
>
> "SuperSlueth" wrote:
>
>> I'm running exchange 2003 on server 2003 with all the latest patches and
>> fixes applied. I have the latest version of norton corperate antivirus
>> with
>> all the updates.
>> I've done a full scan and the server is clean.
>> Yet every 2 or 3 days I see that a new user has been added "hello5" and
>> programs have been installed.
>> I can delete the programs and the user I've disabled remote desktop and
>> changed the admin password, but still this person still gets to the
>> server.
>> does anyone have any idea how to find out where he comes in from and how
>> to
>> block it
 
Re: Hacked


You really need to look hard and every possible point of entry. form
existing users to an outside attacker. here are some basic questions to
ask yourself:

*is there a hardware firewall between you and the internet? eg are you on
a private address space?


*audit every account and group membership.
*audit every possbile place to hide startup scripts and excutables, both
in the registry and start menu

*increase event logging to FULL, eg: in secpol.msc check both boxes on all
audit policys


*run both nbtstat and netstat and investigate all conntections.


*consider, having every user reset his/her passwords, and reset all
service accounts. and old or temp accounts reset or disable

That should give you a pretty good start.


-Nex6

On Mon, 10 Sep 2007, James Matthews wrote:

> Not always does someone hack using an exploit! Sometimes they crack the
> passwords etc... You have to consider every and any point of intrusion
>
> --
>
> http://www.goldwatches.com/
> http://www.jewelerslounge.com/
> "Newell White" <NewellWhite@discussions.microsoft.com> wrote in message
> news:D35907B2-F92A-4CBA-AF04-D3FC556D723E@microsoft.com...
>> Record the modified and created dates on the installed files and their
>> containing folders. This will give you some clue as to the time window you
>> should search in the Security log using Event Viewer - should give you IP
>> of
>> computer originating any login request.
>>
>> What is your network topology?
>> Anti-virus software won't help.
>> Do you have hardware firewall between server and the wicked outside world?
>> If so, and it is configured correctly, this is most likely an inside job.
>> --
>> Newell White
>>
>>
>> "SuperSlueth" wrote:
>>
>>> I'm running exchange 2003 on server 2003 with all the latest patches and
>>> fixes applied. I have the latest version of norton corperate antivirus
>>> with
>>> all the updates.
>>> I've done a full scan and the server is clean.
>>> Yet every 2 or 3 days I see that a new user has been added "hello5" and
>>> programs have been installed.
>>> I can delete the programs and the user I've disabled remote desktop and
>>> changed the admin password, but still this person still gets to the
>>> server.
>>> does anyone have any idea how to find out where he comes in from and how
>>> to
>>> block it
>
>
 
Re: Hacked


You really need to look hard and every possible point of entry. form
existing users to an outside attacker. here are some basic questions to
ask yourself:

*is there a hardware firewall between you and the internet? eg are you on
a private address space?


*audit every account and group membership.
*audit every possbile place to hide startup scripts and excutables, both
in the registry and start menu

*increase event logging to FULL, eg: in secpol.msc check both boxes on all
audit policys


*run both nbtstat and netstat and investigate all conntections.


*consider, having every user reset his/her passwords, and reset all
service accounts. and old or temp accounts reset or disable

That should give you a pretty good start.


-Nex6

On Mon, 10 Sep 2007, James Matthews wrote:

> Not always does someone hack using an exploit! Sometimes they crack the
> passwords etc... You have to consider every and any point of intrusion
>
> --
>
> http://www.goldwatches.com/
> http://www.jewelerslounge.com/
> "Newell White" <NewellWhite@discussions.microsoft.com> wrote in message
> news:D35907B2-F92A-4CBA-AF04-D3FC556D723E@microsoft.com...
>> Record the modified and created dates on the installed files and their
>> containing folders. This will give you some clue as to the time window you
>> should search in the Security log using Event Viewer - should give you IP
>> of
>> computer originating any login request.
>>
>> What is your network topology?
>> Anti-virus software won't help.
>> Do you have hardware firewall between server and the wicked outside world?
>> If so, and it is configured correctly, this is most likely an inside job.
>> --
>> Newell White
>>
>>
>> "SuperSlueth" wrote:
>>
>>> I'm running exchange 2003 on server 2003 with all the latest patches and
>>> fixes applied. I have the latest version of norton corperate antivirus
>>> with
>>> all the updates.
>>> I've done a full scan and the server is clean.
>>> Yet every 2 or 3 days I see that a new user has been added "hello5" and
>>> programs have been installed.
>>> I can delete the programs and the user I've disabled remote desktop and
>>> changed the admin password, but still this person still gets to the
>>> server.
>>> does anyone have any idea how to find out where he comes in from and how
>>> to
>>> block it
>
>
 
Re: Hacked


You really need to look hard and every possible point of entry. form
existing users to an outside attacker. here are some basic questions to
ask yourself:

*is there a hardware firewall between you and the internet? eg are you on
a private address space?


*audit every account and group membership.
*audit every possbile place to hide startup scripts and excutables, both
in the registry and start menu

*increase event logging to FULL, eg: in secpol.msc check both boxes on all
audit policys


*run both nbtstat and netstat and investigate all conntections.


*consider, having every user reset his/her passwords, and reset all
service accounts. and old or temp accounts reset or disable

That should give you a pretty good start.


-Nex6

On Mon, 10 Sep 2007, James Matthews wrote:

> Not always does someone hack using an exploit! Sometimes they crack the
> passwords etc... You have to consider every and any point of intrusion
>
> --
>
> http://www.goldwatches.com/
> http://www.jewelerslounge.com/
> "Newell White" <NewellWhite@discussions.microsoft.com> wrote in message
> news:D35907B2-F92A-4CBA-AF04-D3FC556D723E@microsoft.com...
>> Record the modified and created dates on the installed files and their
>> containing folders. This will give you some clue as to the time window you
>> should search in the Security log using Event Viewer - should give you IP
>> of
>> computer originating any login request.
>>
>> What is your network topology?
>> Anti-virus software won't help.
>> Do you have hardware firewall between server and the wicked outside world?
>> If so, and it is configured correctly, this is most likely an inside job.
>> --
>> Newell White
>>
>>
>> "SuperSlueth" wrote:
>>
>>> I'm running exchange 2003 on server 2003 with all the latest patches and
>>> fixes applied. I have the latest version of norton corperate antivirus
>>> with
>>> all the updates.
>>> I've done a full scan and the server is clean.
>>> Yet every 2 or 3 days I see that a new user has been added "hello5" and
>>> programs have been installed.
>>> I can delete the programs and the user I've disabled remote desktop and
>>> changed the admin password, but still this person still gets to the
>>> server.
>>> does anyone have any idea how to find out where he comes in from and how
>>> to
>>> block it
>
>
 
Re: Hacked



You really need to look hard and every possible point of entry. form
existing users to an outside attacker. here are some basic questions to
ask yourself:

*is there a hardware firewall between you and the internet? eg are you on
a private address space?


*audit every account and group membership.
*audit every possbile place to hide startup scripts and excutables, both
in the registry and start menu

*increase event logging to FULL, eg: in secpol.msc check both boxes on all
audit policys


*run both nbtstat and netstat and investigate all conntections.


*consider, having every user reset his/her passwords, and reset all
service accounts. and old or temp accounts reset or disable

That should give you a pretty good start.


-Nex6

On Mon, 10 Sep 2007, James Matthews wrote:

> Not always does someone hack using an exploit! Sometimes they crack the
> passwords etc... You have to consider every and any point of intrusion
>
> --
>
> http://www.goldwatches.com/
> http://www.jewelerslounge.com/
> "Newell White" <NewellWhite@discussions.microsoft.com> wrote in message
> news:D35907B2-F92A-4CBA-AF04-D3FC556D723E@microsoft.com...
>> Record the modified and created dates on the installed files and their
>> containing folders. This will give you some clue as to the time window you
>> should search in the Security log using Event Viewer - should give you IP
>> of
>> computer originating any login request.
>>
>> What is your network topology?
>> Anti-virus software won't help.
>> Do you have hardware firewall between server and the wicked outside world?
>> If so, and it is configured correctly, this is most likely an inside job.
>> --
>> Newell White
>>
>>
>> "SuperSlueth" wrote:
>>
>>> I'm running exchange 2003 on server 2003 with all the latest patches and
>>> fixes applied. I have the latest version of norton corperate antivirus
>>> with
>>> all the updates.
>>> I've done a full scan and the server is clean.
>>> Yet every 2 or 3 days I see that a new user has been added "hello5" and
>>> programs have been installed.
>>> I can delete the programs and the user I've disabled remote desktop and
>>> changed the admin password, but still this person still gets to the
>>> server.
>>> does anyone have any idea how to find out where he comes in from and how
>>> to
>>> block it
>
>
 
Re: Hacked


You really need to look hard and every possible point of entry. form
existing users to an outside attacker. here are some basic questions to
ask yourself:

*is there a hardware firewall between you and the internet? eg are you on
a private address space?


*audit every account and group membership.
*audit every possbile place to hide startup scripts and excutables, both
in the registry and start menu

*increase event logging to FULL, eg: in secpol.msc check both boxes on all
audit policys


*run both nbtstat and netstat and investigate all conntections.


*consider, having every user reset his/her passwords, and reset all
service accounts. and old or temp accounts reset or disable

That should give you a pretty good start.


-Nex6

On Mon, 10 Sep 2007, James Matthews wrote:

> Not always does someone hack using an exploit! Sometimes they crack the
> passwords etc... You have to consider every and any point of intrusion
>
> --
>
> http://www.goldwatches.com/
> http://www.jewelerslounge.com/
> "Newell White" <NewellWhite@discussions.microsoft.com> wrote in message
> news:D35907B2-F92A-4CBA-AF04-D3FC556D723E@microsoft.com...
>> Record the modified and created dates on the installed files and their
>> containing folders. This will give you some clue as to the time window you
>> should search in the Security log using Event Viewer - should give you IP
>> of
>> computer originating any login request.
>>
>> What is your network topology?
>> Anti-virus software won't help.
>> Do you have hardware firewall between server and the wicked outside world?
>> If so, and it is configured correctly, this is most likely an inside job.
>> --
>> Newell White
>>
>>
>> "SuperSlueth" wrote:
>>
>>> I'm running exchange 2003 on server 2003 with all the latest patches and
>>> fixes applied. I have the latest version of norton corperate antivirus
>>> with
>>> all the updates.
>>> I've done a full scan and the server is clean.
>>> Yet every 2 or 3 days I see that a new user has been added "hello5" and
>>> programs have been installed.
>>> I can delete the programs and the user I've disabled remote desktop and
>>> changed the admin password, but still this person still gets to the
>>> server.
>>> does anyone have any idea how to find out where he comes in from and how
>>> to
>>> block it
>
>
 
Re: Hacked


You really need to look hard and every possible point of entry. form
existing users to an outside attacker. here are some basic questions to
ask yourself:

*is there a hardware firewall between you and the internet? eg are you on
a private address space?


*audit every account and group membership.
*audit every possbile place to hide startup scripts and excutables, both
in the registry and start menu

*increase event logging to FULL, eg: in secpol.msc check both boxes on all
audit policys


*run both nbtstat and netstat and investigate all conntections.


*consider, having every user reset his/her passwords, and reset all
service accounts. and old or temp accounts reset or disable

That should give you a pretty good start.


-Nex6

On Mon, 10 Sep 2007, James Matthews wrote:

> Not always does someone hack using an exploit! Sometimes they crack the
> passwords etc... You have to consider every and any point of intrusion
>
> --
>
> http://www.goldwatches.com/
> http://www.jewelerslounge.com/
> "Newell White" <NewellWhite@discussions.microsoft.com> wrote in message
> news:D35907B2-F92A-4CBA-AF04-D3FC556D723E@microsoft.com...
>> Record the modified and created dates on the installed files and their
>> containing folders. This will give you some clue as to the time window you
>> should search in the Security log using Event Viewer - should give you IP
>> of
>> computer originating any login request.
>>
>> What is your network topology?
>> Anti-virus software won't help.
>> Do you have hardware firewall between server and the wicked outside world?
>> If so, and it is configured correctly, this is most likely an inside job.
>> --
>> Newell White
>>
>>
>> "SuperSlueth" wrote:
>>
>>> I'm running exchange 2003 on server 2003 with all the latest patches and
>>> fixes applied. I have the latest version of norton corperate antivirus
>>> with
>>> all the updates.
>>> I've done a full scan and the server is clean.
>>> Yet every 2 or 3 days I see that a new user has been added "hello5" and
>>> programs have been installed.
>>> I can delete the programs and the user I've disabled remote desktop and
>>> changed the admin password, but still this person still gets to the
>>> server.
>>> does anyone have any idea how to find out where he comes in from and how
>>> to
>>> block it
>
>
 
Re: Hacked


You really need to look hard and every possible point of entry. form
existing users to an outside attacker. here are some basic questions to
ask yourself:

*is there a hardware firewall between you and the internet? eg are you on
a private address space?


*audit every account and group membership.
*audit every possbile place to hide startup scripts and excutables, both
in the registry and start menu

*increase event logging to FULL, eg: in secpol.msc check both boxes on all
audit policys


*run both nbtstat and netstat and investigate all conntections.


*consider, having every user reset his/her passwords, and reset all
service accounts. and old or temp accounts reset or disable

That should give you a pretty good start.


-Nex6

On Mon, 10 Sep 2007, James Matthews wrote:

> Not always does someone hack using an exploit! Sometimes they crack the
> passwords etc... You have to consider every and any point of intrusion
>
> --
>
> http://www.goldwatches.com/
> http://www.jewelerslounge.com/
> "Newell White" <NewellWhite@discussions.microsoft.com> wrote in message
> news:D35907B2-F92A-4CBA-AF04-D3FC556D723E@microsoft.com...
>> Record the modified and created dates on the installed files and their
>> containing folders. This will give you some clue as to the time window you
>> should search in the Security log using Event Viewer - should give you IP
>> of
>> computer originating any login request.
>>
>> What is your network topology?
>> Anti-virus software won't help.
>> Do you have hardware firewall between server and the wicked outside world?
>> If so, and it is configured correctly, this is most likely an inside job.
>> --
>> Newell White
>>
>>
>> "SuperSlueth" wrote:
>>
>>> I'm running exchange 2003 on server 2003 with all the latest patches and
>>> fixes applied. I have the latest version of norton corperate antivirus
>>> with
>>> all the updates.
>>> I've done a full scan and the server is clean.
>>> Yet every 2 or 3 days I see that a new user has been added "hello5" and
>>> programs have been installed.
>>> I can delete the programs and the user I've disabled remote desktop and
>>> changed the admin password, but still this person still gets to the
>>> server.
>>> does anyone have any idea how to find out where he comes in from and how
>>> to
>>> block it
>
>
 
Re: Hacked

Nex6 wrote:
> You really need to look hard and every possible point of entry. form
> existing users to an outside attacker. here are some basic
> questions to ask yourself:
>
> *is there a hardware firewall between you and the internet? eg are
> you on a private address space?
>
>
> *audit every account and group membership.
> *audit every possbile place to hide startup scripts and excutables,
> both in the registry and start menu
>
> *increase event logging to FULL, eg: in secpol.msc check both boxes
> on all audit policys
>
>
> *run both nbtstat and netstat and investigate all conntections.
>
>
> *consider, having every user reset his/her passwords, and reset all
> service accounts. and old or temp accounts reset or disable
>
> That should give you a pretty good start.

Nex6,

You have definitely replied.

http://groups.google.com/group/micr...rity+insubject:Hacked&rnum=1#6f8ccac2a10d451c

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html
 
Back
Top