been hacked, tlntsvr.exe cannot be shutdown

[Jerry]

Hi,

I found 27 Gig of movies and games on my server today.
I was able to expunge them, although they were very
sneaky and clever about changing ownership and
permissions (they were hidden in RECYCLER folder).

But after running AV software and updating Win2k Server
to SP4, all latest updates, I still see a connection in
netstat that looks like hackers (note poland url) and
cannot stop tlntsrv.exe (telnet services manager opens
window, which immediately shuts...denied access from task
manager).

Any idea how to kick out the intruder?

Active Connections

Proto Local Address Foreign Address
State
TCP chinabilling2:microsoft-ds
dpc691943014.direcpc.com:33744 ESTABLISHED

TCP chinabilling2:microsoft-ds host45-
168.pool80181.interbusiness.it:4073
ESTABLISHED
TCP chinabilling2:microsoft-ds
beg251.neoplus.adsl.tpnet.pl:3118 ESTABLIS
HED

TCP chinabilling2:2121 pD9EE0561.dip0.t-
ipconnect.de:3962 ESTABLISHED

TCP chinabilling2:6620 pD9EE0561.dip0.t-
ipconnect.de:4110 TIME_WAIT
TCP chinabilling2:6620 pD9EE0561.dip0.t-
ipconnect.de:4124 TIME_WAIT
TCP chinabilling2:6621
ACB59020.ipt.aol.com:2921 ESTABLISHED
TCP chinabilling2:6621 pD9EE0561.dip0.t-
ipconnect.de:3918 ESTABLISHED
TCP chinabilling2:6621 pD9EE0561.dip0.t-
ipconnect.de:3922 ESTABLISHED
TCP chinabilling2:6621 pD9EE0561.dip0.t-
ipconnect.de:3970 ESTABLISHED
TCP chinabilling2:6621 pD9EE0561.dip0.t-
ipconnect.de:3989 ESTABLISHED
chinabilling2.POP.local:microsoft-ds TIME_WAIT

Jerry

 

[BeamGuy]

The only reliable method is to rebuild your system from scratch.
It could also be the fastest - since poking around trying to figure
out all that they have done can take quite some time, and still
leave you open. They likely installed several routes into your
system.
-sorry.

 

[Dave]

step 1: unplug the network cable or phone line
step 2: format C:
step 3: reinstall, do all patches, install firewall, install av.
step 4: reconnect to internet and resume normal operation

 

[Steven L Umbach]

It does not look like you are using a firewall. You need to run a properly configured
firewall that ideally can block all outbound access except that which is authorized
by port, protocol, IP address, and application [software firewall capability]. You
could install Sygate firewall today and try it free for thirty days until you decide
on a firewall solution. Run Microsoft Baseline Security Analyzer on your computer to
make sure unneeded services are shut down and try another virus scan program and a
dedicate trojan removal program. The links below are for a free produce from Trend
Micro that will scan for and remove many command malwares. Download into a folder and
execute from there.

http://www.microsoft.com/technet/security/tools/mbsahome.mspx
http://www.trendmicro.com/download/dcs.asp
http://www.trendmicro.com/download/pattern.asp
http://smb.sygate.com/products/spf_pro.htm --- Sygate Pro

You really should consider rebuilding your computer and taking steps to prevent this
again. The link below explains why. --- Steve

http://www.microsoft.com/technet/community/columns/secmgmt/default.mspx
http://www.microsoft.com/technet/security/chklist/w2ksvrcl.mspx -- security
checklist for server.

 

[Jerry]

Thanks, especially to Steven.
Jerry