I've been broken into

  • Thread starter Thread starter Gene Bryan
  • Start date Start date
G

Gene Bryan

Well it only took a little over 2 years, but a hacker has
made my server one of the latest IRC servers. Has anybody
heard of a removal tool for mybot? FDisk is the only
solution I can think of, but thats also going to make
about a 40 hour plus installation. I have figured out how
the scanners got in, and have stopped that, now I'm left
with the remains of it. Any thoughts about a removal
process would certainly be well accepted..
 
To be honest, if I knew a server had been compromised, I'd back up the data
and rebuild it. No way to know what else got put on there. Why so long a
time estimate for installation? Do you have another server you can set up as
another domain controller in the meantime?
 
I do have a secondary domain controller on line. This
system runs a retail outlet with 3 stores tagged on to the
primary domain controller to access the business system.
The buisness system and all other business related
programs represent about 20 gigs of data. Not to mention
the primary runs terminal services for the remote clients
to access the business system. And all the FSMO roles on
the primary would have to replicate to the secondary, etc,
etc, etc.. All this with no down time, I must have been
dreaming. A removal tool would be the ultimate, but
without that, FDisk is the only way.. This is going to
suck.. To all admin's, change your password frequently.
That has been my lesson here.
 
I'm assuming you've already tried McAfee and the host of
AV software? Trend Micro has a pretty good free online
scan. Have you already removed all references in the
registry?
 
I have run Stinger, ADaware, Spybot S&D, etc, the program
that was installed is messy, it's all in the system 32
files, I have contained it. Lucky for me, if there is any
luck with this, the DC has no DNS address assigned so the
intended program installed failed. Literely 100's of
addresses the DC was trying to resolve. This IRC pirating
is no laughing matter, if your not real familiar with XDCC
here is a link to a theuses written.
http://www.ncsu.edu/it/security/papers/EduHacking.html
I'v come to the conclusion that to wipe the hard drive on
the DC and move on is the procedure to clean up this mess.
 
Back
Top