Jwillard
2011-11-22, 20:15
Hi all. I have a Windows 2003 server that got broken into big time. It apparently began last Friday afternoon. It was discovvered on Monday morning when the office didn't have any connectivity to the server. Someone went ot log into the server to check it and it was locked with the account "SUPPORT_388945a0".
Someone, aparently from Estonia (last reply on a ping trace) broke in, created a number of user accounts, "HakerM", "Administrator" (We had renamed the built-in Administrator Acct), "Spoler", "TechSupport" and "SUPPORT_388945a0". They also created asecurity group called "HelpServicesGroup".
In looking around, I found they had installed a number of programs in the Decktop folders for the accounts they created. The programs include JetSwap, DBrute with associated txt files and DLL's.
the part that really worries me is it appears that they also installed some sort of "parallel" copy of windows that I can't find or see. In the registry there are a bunch of references to Side by Side and in some of the shortcuts in the hacker's desktop folder seem to point to different disk partisions or the like.
The other "symptom" is that all of the server "services" are running but nothing respond's. No DHCP, no DNS, no IIS and now domain Controller functions. I can web surf and access network printers however.
I backed up the registry but couldn't run DDS.
Anyone willing to pick up the ball on this one?
Thanks
Jeff
Someone, aparently from Estonia (last reply on a ping trace) broke in, created a number of user accounts, "HakerM", "Administrator" (We had renamed the built-in Administrator Acct), "Spoler", "TechSupport" and "SUPPORT_388945a0". They also created asecurity group called "HelpServicesGroup".
In looking around, I found they had installed a number of programs in the Decktop folders for the accounts they created. The programs include JetSwap, DBrute with associated txt files and DLL's.
the part that really worries me is it appears that they also installed some sort of "parallel" copy of windows that I can't find or see. In the registry there are a bunch of references to Side by Side and in some of the shortcuts in the hacker's desktop folder seem to point to different disk partisions or the like.
The other "symptom" is that all of the server "services" are running but nothing respond's. No DHCP, no DNS, no IIS and now domain Controller functions. I can web surf and access network printers however.
I backed up the registry but couldn't run DDS.
Anyone willing to pick up the ball on this one?
Thanks
Jeff