I've been cracked... - John C. Kirk — LiveJournal
Aug. 5th, 2002
02:08 am - I've been cracked...
Aargh - someone's been playing silly buggers with my server. The hazards of having a permanent connection to the internet, with static IP address - makes you a target for this type of thing. (No, I'm not going to refer to "hacking" in this context.)
Our internet connection tends to die periodically - think it's because we're using a USB ADSL modem, rather than a router (a situation I intend to rectify). When this happened earlier, I went to reboot the server as usual. I then saw a message from the anti-virus software, saying it had moved two files on the C drive that were infected. They were both called "server.exe" - one was in the root, and one was in the winnt\system32 folder. After the reboot, I noticed a service running - "Serv-U FTP Server". That's not something I've installed, and it was running out of a random folder in the profiles area. Suspiciously, it was created today at the same time as the anti-virus software found the infected files. In fact, I had two copies of the folder structure (on different drives), but only one contained files.
I've got rid of that service, and tried to delete the folders. However, they've got names like AUX and COM1, which means Explorer won't handle that problem.
Q120716 had the solution, although it requires you to own a copy of the Windows 2000 Resource Kit to get the necessary file - fortunately, I do have a copy. (Bought it a while back, after I got stumped by one of Lorna's problems with her PC.)
I definitely need to get a proper copy of the anti-virus software, since it's still protecting me after the evaluation period expired. The only problem is that it isn't sold in the UK (yet), so I'll need to order it from the USA.
There were some other issues - for instance, the Guest account had wound up in the Administrators group. I've removed it, and disabled it - I suspect that someone got in a different way, then made that change as a backdoor. From my reading, it looks like the FTP business is something that warez d00dz use, as a way to hijack a server as a file-dump.
Next step is to sort out some proper logging, so that I can track down the little shits responsible for this.
Anyway, I've now locked down the server, and it seems to be running smoothly now. I'll keep an eye on it, to make sure nothing else happens. And just to clarify, please do not send comments like "Windows is crap - you should use Unix"!