Click here to get back home

Compromised Web Server? Anybody recognize these programs?
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Compromised Web Server? Anybody recognize these programs? John Kotuby 01-09-2008
Posted by John Kotuby on January 9, 2008, 9:11 am
Please log in for more thread options
 Hi all,
We lease a non-managed Web Server running AV software but no IDS. It is
Windows 2003 STD which receives automatic nightly Windows Security patches
at
3AM.

When I logged into the RDP console on Monday I saw what looked like a
Password Cracking software running with the name at the top of the window
E-Security. It looks like it had gone through 69,914,496 permutations
already.

Apparently somebody hacked in through a nearly wide open front door, Remote
Desktop on a standard port. Also installed were 2 network packet sniffing
programs PacketX and WinPcap.

I have since made some changes to re-secure the server. I need to learn how
to quickly set up VPN access using only a remote connection...such that I
can configure it first and then still have access to to the desktop after it
is activated, if that is possible. I don't need an article steeped in theory
and we are not talking active directory, just a standalone Win2003 STD
remote server. So I am looking for a setup that uses only 1 server for both
VPN and Remote Desktop Access. If someone can point me to such an article or
tutorial I will be grateful. I am a software developer under a very tight
schedule, not a trained server manager.

To continue...

I went into Task Manager and killed a program I did not recognize
netman24.exe. I killed it and also saw about 12 instances of
CheckingThread.exe disappear.

I did not want to click the Close button in the program because who knows
what that might have done.

Looking in Services, right under Network Connections there were 3 other
similar services all claiming to be Microsoft.
Network Connections 24
Network Connections 32
Network Connections 64

Doing a search on Microsoft for netman24.exe brought up nothing.
Doing a similar search on Google brought up nothing.
Same for Symantec.

I changed the Startup Option on Network Connections 24 from Automatic to
Manual. I have not gotten rid of those services or programs yet in case they
are valid.

Maybe the connection between netman24.exe being killed and
CheckingThread.exe instances disappearing was coincidental but I don't think
so.

Anyone else seen anything like this or recognize these programs as valid?

Thanks for any input...

--
"Building a better mouse trap doesn''''t necessarily make it better for the
mouse."



Similar ThreadsPosted
AD does not recognize local CA September 22, 2006, 3:49 pm
How to hide programs from start menu for TS Users August 2, 2005, 10:39 am
Virus cleanup - fix compromised windows firewall settings August 21, 2007, 11:19 am
Using AD server as a ldap server and 4k bit server certificate key October 13, 2005, 10:28 pm
Windows server 2003 security. How to protect against 100's of invalid logons to the server?? August 12, 2005, 5:29 pm
creat a domain trust between Windows 2000 server, it show error message:"PRC server is unavailable" July 3, 2006, 3:59 pm
SP-1 to a Windows 2003 Server running SQL Server 2000 with out SP- July 5, 2005, 5:20 pm
Re: Subordinate CA server renewal with an online CA root server July 17, 2008, 8:48 am
web server September 11, 2006, 12:52 am
Server Hardening July 5, 2005, 9:34 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap