Hacked

Secure Home | Search | About

Lost Password?

Microsoft Applications Security

get this group's latest topics as an RSS feed

add this group's latest topics to your My MSN content

add this group's latest topics to your My Yahoo content

add this group's latest topics to your Google content

Subject

Author

Date

Hacked

SuperSlueth

09-10-2007

RE: Hacked

New

09-10-2007

Re: Hacked

James Matthews

09-10-2007

Re: Hacked

Nex6

09-11-2007

Re: Hacked

Nex6

09-11-2007

Re: Hacked

Nex6

09-11-2007

Re: Hacked

Nex6

09-11-2007

Re: Hacked

Nex6

09-11-2007

Re: Hacked

Nex6

09-11-2007

Re: Hacked

Nex6

09-11-2007

Re: Hacked

Shenan Stanley

09-11-2007

Re: Hacked

Nex6

09-11-2007

Posted by =?Utf-8?B?U3VwZXJTbHVldGg=?= on September 10, 2007, 6:14 am

If you were Registered and logged in, you could reply and use other advanced thread options

I'm running exchange 2003 on server 2003 with all the latest patches and
fixes applied. I have the latest version of norton corperate antivirus with
all the updates.
I've done a full scan and the server is clean.
Yet every 2 or 3 days I see that a new user has been added "hello5" and
programs have been installed.
I can delete the programs and the user I've disabled remote desktop and
changed the admin password, but still this person still gets to the server.
does anyone have any idea how to find out where he comes in from and how to
block it

Posted by =?Utf-8?B?TmV3ZWxsIFdoaXRl?= on September 10, 2007, 10:40 am

If you were Registered and logged in, you could reply and use other advanced thread options

Record the modified and created dates on the installed files and their
containing folders. This will give you some clue as to the time window you
should search in the Security log using Event Viewer - should give you IP of
computer originating any login request.

What is your network topology?
Anti-virus software won't help.
Do you have hardware firewall between server and the wicked outside world?
If so, and it is configured correctly, this is most likely an inside job.
--
Newell White

"SuperSlueth" wrote:

> I'm running exchange 2003 on server 2003 with all the latest patches and

> fixes applied. I have the latest version of norton corperate antivirus with

> all the updates.

> I've done a full scan and the server is clean.

> Yet every 2 or 3 days I see that a new user has been added "hello5" and

> programs have been installed.

> I can delete the programs and the user I've disabled remote desktop and

> changed the admin password, but still this person still gets to the server.

> does anyone have any idea how to find out where he comes in from and how to

> block it

Posted by James Matthews on September 10, 2007, 3:03 pm

If you were Registered and logged in, you could reply and use other advanced thread options

Not always does someone hack using an exploit! Sometimes they crack the
passwords etc... You have to consider every and any point of intrusion

--

http://www.goldwatches.com/
http://www.jewelerslounge.com/

> Record the modified and created dates on the installed files and their

> containing folders. This will give you some clue as to the time window you

> should search in the Security log using Event Viewer - should give you IP

> of

> computer originating any login request.

> What is your network topology?

> Anti-virus software won't help.

> Do you have hardware firewall between server and the wicked outside world?

> If so, and it is configured correctly, this is most likely an inside job.

> --

> Newell White

> "SuperSlueth" wrote:

>> I'm running exchange 2003 on server 2003 with all the latest patches and

>> fixes applied. I have the latest version of norton corperate antivirus

>> with

>> all the updates.

>> I've done a full scan and the server is clean.

>> Yet every 2 or 3 days I see that a new user has been added "hello5" and

>> programs have been installed.

>> I can delete the programs and the user I've disabled remote desktop and

>> changed the admin password, but still this person still gets to the

>> server.

>> does anyone have any idea how to find out where he comes in from and how

>> to

>> block it

Posted by Nex6 on September 11, 2007, 3:31 pm

If you were Registered and logged in, you could reply and use other advanced thread options

You really need to look hard and every possible point of entry. form
existing users to an outside attacker. here are some basic questions to
ask yourself:

*is there a hardware firewall between you and the internet? eg are you on
a private address space?

*audit every account and group membership.
*audit every possbile place to hide startup scripts and excutables, both
in the registry and start menu

*increase event logging to FULL, eg: in secpol.msc check both boxes on all
audit policys

*run both nbtstat and netstat and investigate all conntections.

*consider, having every user reset his/her passwords, and reset all
service accounts. and old or temp accounts reset or disable

That should give you a pretty good start.

-Nex6

On Mon, 10 Sep 2007, James Matthews wrote:

> Not always does someone hack using an exploit! Sometimes they crack the

> passwords etc... You have to consider every and any point of intrusion

> --

> http://www.goldwatches.com/

> http://www.jewelerslounge.com/

>> Record the modified and created dates on the installed files and their

>> containing folders. This will give you some clue as to the time window you

>> should search in the Security log using Event Viewer - should give you IP

>> of

>> computer originating any login request.

>> What is your network topology?

>> Anti-virus software won't help.

>> Do you have hardware firewall between server and the wicked outside world?

>> If so, and it is configured correctly, this is most likely an inside job.

>> --

>> Newell White

>> "SuperSlueth" wrote:

>>> I'm running exchange 2003 on server 2003 with all the latest patches and

>>> fixes applied. I have the latest version of norton corperate antivirus

>>> with

>>> all the updates.

>>> I've done a full scan and the server is clean.

>>> Yet every 2 or 3 days I see that a new user has been added "hello5" and

>>> programs have been installed.

>>> I can delete the programs and the user I've disabled remote desktop and

>>> changed the admin password, but still this person still gets to the

>>> server.

>>> does anyone have any idea how to find out where he comes in from and how

>>> to

>>> block it

Posted by Nex6 on September 11, 2007, 3:31 pm

If you were Registered and logged in, you could reply and use other advanced thread options

> Not always does someone hack using an exploit! Sometimes they crack the

> passwords etc... You have to consider every and any point of intrusion

> --

> http://www.goldwatches.com/

> http://www.jewelerslounge.com/

>> Record the modified and created dates on the installed files and their

>> containing folders. This will give you some clue as to the time window you

>> should search in the Security log using Event Viewer - should give you IP

>> of

>> computer originating any login request.

>> What is your network topology?

>> Anti-virus software won't help.

>> Do you have hardware firewall between server and the wicked outside world?

>> If so, and it is configured correctly, this is most likely an inside job.

>> --

>> Newell White

>> "SuperSlueth" wrote:

>>> I'm running exchange 2003 on server 2003 with all the latest patches and

>>> fixes applied. I have the latest version of norton corperate antivirus

>>> with

>>> all the updates.

>>> I've done a full scan and the server is clean.

>>> Yet every 2 or 3 days I see that a new user has been added "hello5" and

>>> programs have been installed.

>>> I can delete the programs and the user I've disabled remote desktop and

>>> changed the admin password, but still this person still gets to the

>>> server.

>>> does anyone have any idea how to find out where he comes in from and how

>>> to

>>> block it

Similar Threads	Posted
Have I been hacked?	July 4, 2005, 5:37 pm
Was I hacked?	October 20, 2005, 9:18 am
HELP! i've been hacked!	March 28, 2006, 12:52 pm
Can You Tell By This Log If We Were Hacked?	October 23, 2006, 12:27 pm
Have I been Hacked?	November 5, 2006, 10:59 am
I've been hacked	July 11, 2007, 9:22 pm
i think ive been hacked maybe ????	February 7, 2008, 11:01 am
got hacked this weekend	July 25, 2005, 7:08 pm
Hacked/invaded/etc. etc.	November 28, 2005, 2:56 pm
Hacked or.....Would appreciate expert help	January 23, 2006, 3:26 pm

The site map in XML format XML site map