Strange Folders Appearing in Root of C:\

[philip]

Hi All,

I believe my Win2k server sp3 has been compromised. I have
been downloading all updated from windows update.
Yesterday we noticed strange files being created in the
root dir; with names like "1ae5cf12651de3bcc45825" the
files inside include update.exe and spcustom.dll. We
delete them and they reappear at random times with
different names. I have scanned with Norton corp. and
trend micro, both find nothing.

I have also found some text files created with the same
time stamp in the c:\winnt dir. here is a sample

Service Pack started with following command line: -u -o -
q -z
***
---- Old Information In The Registry ------
***
Source:c:\1ae5cf12651de3bcc45825\update\update.exe
Version: 5.3.16.5
***
Destination:
Version:
***
Source:c:\1ae5cf12651de3bcc45825\update
Version:
***

Can anyone share any info on this one????

Any help is appreciated

 

[JasonW]

I would check security logs to see who accessed the computer and when. You
may need to actively sniff the packets to find what IP they are coming from.
Do you have a firewall for this server that is configured to block all ports
except what are needed for its particular function?

If they are coming from someone with proper credentials, then you can track
it further. If they are coming in through a compromised system, then you may
need to wipe it and reload with tight security in mind to prevent further
compromise.

In the meantime, you could also download something like Spybot Search and
Destroy to see if there is a known spyware package being used. There are
other programs to detect trojans also. There are programs like TCP View from
Winternals that are freeware and tell you what ports are being used and what
address they are connecting to. Unfortunately, this program doesn't come
with a logging feature.

-JasonW