Hacked - Folders and Files Disappear

[Guest]

Hello,

I have a Windows 2000 Server SP4/SQL Server 2000 SP3 box that has recently
been hacked. I am not completely sure how they got in, but there was a nice
neat collection of items - ftp utility, dns utility, sam dump, porn, mp3s,
etc...

I have been slowly cleaning everything off this box, but there are some
things I don't know how to handle. Certain files, like netstat.exe, kill.exe
are no longer available but if I try to recreate/copy them I get a name
collision. If I put them in a new location (anywhere on the server) they
disappear immediately.

Further, I put kill.exe into the root of one drive and now the contents of
the root of that drive are invisible. I can not see anything in that drive
from windows or dos.
The result of dir on that drive is "File Not Found". However, I remember
one of the folders on that drive and I can CD into it with no problem and
browse around all I like. I just can't see or manipulate anything in the
root.

Before you ask, I am showing hidden files and protected OS files.

Is there some utility for Windows, or - god forbid - *nix that I can use to
show ALL files in a directory regardless of any OS level rule? What can I do
to resolve this short of migrating to a new server?

I have seen some utilities that claim to hide files on a much deeper level
than the normal NTFS hide. Surely they must key into some part of Windows.
Is there a programmatic solution to this?

Now I can't even run FileMon anymore... grr....

Thanks for your help!

Sincerely,
Dan B

 

[Guest]

It gets weirder.
If I try to create a new text file in this root area, it disappears AS I am
naming it.
While I type!

There must be some process running that is controlling this but I can not
find it. Tried filemon, handle.exe, tcpview, process explorer...

sigh.

-Dan B

 

[Dave Patrick]

It's not worth spending any time with. Rebuild the server.

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| Hello,
|
| I have a Windows 2000 Server SP4/SQL Server 2000 SP3 box that has recently
| been hacked. I am not completely sure how they got in, but there was a
nice
| neat collection of items - ftp utility, dns utility, sam dump, porn, mp3s,
| etc...
|
| I have been slowly cleaning everything off this box, but there are some
| things I don't know how to handle. Certain files, like netstat.exe,
kill.exe
| are no longer available but if I try to recreate/copy them I get a name
| collision. If I put them in a new location (anywhere on the server) they
| disappear immediately.
|
| Further, I put kill.exe into the root of one drive and now the contents of
| the root of that drive are invisible. I can not see anything in that
drive
| from windows or dos.
| The result of dir on that drive is "File Not Found". However, I remember
| one of the folders on that drive and I can CD into it with no problem and
| browse around all I like. I just can't see or manipulate anything in the
| root.
|
| Before you ask, I am showing hidden files and protected OS files.
|
| Is there some utility for Windows, or - god forbid - *nix that I can use
to
| show ALL files in a directory regardless of any OS level rule? What can I
do
| to resolve this short of migrating to a new server?
|
| I have seen some utilities that claim to hide files on a much deeper level
| than the normal NTFS hide. Surely they must key into some part of
Windows.
| Is there a programmatic solution to this?
|
| Now I can't even run FileMon anymore... grr....
|
| Thanks for your help!
|
| Sincerely,
| Dan B

 

[aD]

It's not worth spending any time with. Rebuild the server.

Seconded. It's also not worth the time as there *will* be something you
haven't noticed, and Bad Things will happen again.

aD

 

[Leythos]

I have a Windows 2000 Server SP4/SQL Server 2000 SP3 box that has recently
been hacked. I am not completely sure how they got in, but there was a nice
neat collection of items - ftp utility, dns utility, sam dump, porn, mp3s,
etc...

I have been slowly cleaning everything off this box, but there are some
things I don't know how to handle. Certain files, like netstat.exe, kill.exe
are no longer available but if I try to recreate/copy them I get a name
collision. If I put them in a new location (anywhere on the server) they
disappear immediately.

I hope you had a clean backup of all your data.

At this point, considering all you've described, it's time to
wipe/reinstall the system. Start with a bootable CD, format and wipe the
drive (remove all partitions) and reinstall everything.

BEFORE YOU DO THIS - Close all firewall ports INBOUND to the server.
This will let you re-install without getting hacked while doing the
install and updates. Once you get the install and updates, install a
server class antivirus program - something like Symantec Corporate
Edition for Servers ver 9.0.

 

[Guest]

Seconded. It's also not worth the time as there *will* be something you
haven't noticed, and Bad Things will happen again.

aD

Thanks for the replies. I am in agreement with all posts here, at least
insofar as what to do with the contents of the current server. I do have all
the files I need and they are ready to go on a new machine, but I would
really like to get a better understanding of what has happened.

I know that at this point there is really no way to secure a box that has
been this owned, but I would like to explore what has been changed just the
same. From various conversations it would appear that it is likely that dlls
for explorer and other windows programs have been replaced with hacked
copies.

Have any of you spent time tracking down changes such as these? I wonder if
a program like the dependancy walker would give me a good look into these
files...

Anyway, thanks again.

-Dan B