server is being hacked

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
every month I am finding either one or two services that are hack
services. I delete the files and clean the service in the registry
then between 1 and 3 months a new hack is on my server. I have
symantec 10.2 and symantec for exchange and a barracuda on the outside
of my network. Can any one help to find the root of this issue. I use
the normal tools like rootkit revealer and aports for scanning my
ports but still they get in. I check my server a few times a day and
usually I catch it within a day but that might be to late. My updates
and patches are up to date. I am running SBS 2003 sp2 and exchange
2003 sp1.

Thank You

Re: server is being hacked wrote:

Quoted text here. Click to load it

Ok, and where's the question? Or the problem? Or the news? Sinceyou don't do
anything serious to recover from the compromise, such a sequence of events
is reasonably expected.

Re: server is being hacked

Quoted text here. Click to load it

Hi Joseph,

Sorry to hear of your struggles.   You need to follow the standard
procedure for recovering from a malware infection:
        o remove teh box from the network
        o pull data off to another advice and/or image the drive
          (including slack space) for later reference or a forensic
        o repartition, reformat and reinstall the OS from original

If you want a root cause (or as close to a root cause as you'll get,
depending on the attacker's skill), engage a security firm to do
forensic analysis of the box.  This is also sold as "incident
response" service.   It's not cheap.

Trying to patch/remove things flagged by a commercial product is like
trying to use a bandaid to cure skin cancer, I'm afraid.   You have no
way of knowing you got everything.    

Best Regards,
Todd H. /

Site Timeline