I'm not exactly sure from your description what exactly has happened. If
someone remotely installed software like FTP server software, in most cases
they probably exploited a missing critical patch fore a remotely exploitable
remote code execution vulnerability such as a buffer overflow in a listening
and remotely available service. For most such attacks, the attacker gains
privileges equivalent to System, and few systems are configured to prevent
If you have a firewall, concentrate on the services that are listening on
ports available through the firewall, such as perhaps IIS www services.
If you could tell us the name of the viruses [not virii] that the machines
are infected with, or better yet search the web site for the manufacturer of
the anti-virus software that found and identified the virus, that will
probably tell you how the machine becomes infected, via which ports and
which patch was probably missing.
If no FTP server software was installed by the attacker, it could be that
the FTP service was left enabled and the anonymous IUSR account had both
read and write privileges to one of the FTP folders. Always set up a
read-only folder for downloads and a separate write-only, no read folder for
uploads if necessary.
Access to IRC ports should never be open outbound through your firewall.
Using a proxy server, IDS such as Snort, Microsoft URLScan free for IIS www
service, and a file change checker such as the free SIM from
www.gfi.com or
Osiris, may help block and detect these things as well.
If you follow commonly accepted security practices such as those provided by
Microsoft, these things usually don't happen to you.
www.microsoft.com/technet/security
http://securityadmin.info/faq.asp#hacked
http://securityadmin.info/faq.asp#harden