I've been hacked

M

Marcus Smaby

I am having a continuing problem that I can't seem to get a handle on.
Recently, someone hacked into one of our servers. Now, one or twice a day I
see either the file system.exe or netstats.exe appearing in the system32
folder and in the tasks list. At this point the network is brought to its
knees and it can take me 15 minutes to log into the affected server. I have
checked for references to these two files and I get a hit on system.exe as a
Trojan, but the only hits I get on netstats.exe is as a utility. I have
firewalls. I am at current patch levels on everything. I have Norton
Corporate AV running on all systems but still this continues. I cannot kill
these processes as they come back 'access denied'. My only recourse has been
to rename these files from a CMD prompt, clean out any references from the
registry and reboot. But within the hour, they are back!

1. Is there anyway to force a process to die? If I am domain admin, why
would I be denied access?

2. Is there any utility that would lock out a given program from starting?

3. How can I determine where this is coming from?

Thanks in Advance.

Marcus
 
G

George Hester

Some processes you cannot stop even as Administrator. It is because they are either necessary for Windows to run or they are locked by some other process which you have to find first kill and then kill the one you want to kill.

The fact that the "hacker" comes back so fast but not instantly makes me wonder what your evidence is based on. Can you identify the IP address of what is changing these files? What if you change the permissions on them to say System and Admin only? There is a utility from Microsoft called Port Query. They even have a Service by a similar name. It is called Port Reporter. I believe you let this start automatically and you can monitor your ports over time. I have it but don't use it often.
 
D

Dave

obviously you haven't recovered adequately or have not secured the original
hole that lets them in. netstats.exe is an obvious attempt to confuse with
the real netstat.exe. as is system.exe which is not a standard windows file
either. most likely there is another one that you haven't found that is
copying both of them from somewhere else, or there is another hole that is
letting someone outside get them into your system. system.exe is a known
virus/trojan filename, not to say that yours is, but it is a name used by
backdoor.ciadoor, w32.chili, backdoor.dani, and quite a few others.
netstats.exe may be a valid tool, but you should know if you installed one
of them i would hope... so likely it is a recent name change for some older
virus or trojan.

i would make sure that your norton is really running, there are some recent
infections that kill the actual virus scan processes, so you may think they
are running but actually aren't. try an on-line scan or boot to safe mode
and try a manual scan and make sure it is really running. you may also want
to try some of the adware and spyware scanners, adaware and spybot s&d are
my favorites... things that virus scanners ignore but these scanners find
can cause just as much trouble as viruses. i just had to clean several ie
tool bar hijackers and spyware programs off one workstation today... though
he had been having slow response and intermittant trouble for days he
finally couldn't do anything in word, and ie was doing strange things... 68
hits in adaware convinced him he had to watch his surfing closer.
 
A

Andrew Morton

... I cannot kill these processes as they come back 'access denied'.

Process explorer from www.sysinternals.com will (probably) do it, but as the
other respondents have said the problem is elsewhere. Have you tried other virus
scanners, e.g. the housecall online scanner from www.antivirus.com as well as
Spybot S & D and Adaware (both available through www.download.com).
Then of course you don't know what else the hacker may have left in the system.
Is there any chance of formatting the disk and reinstalling? I suggest that as a
minimum security measure you should have urlscan from MS running if you're using
IIS, as well as your hardware firewall, and change all the passwords and make
sure there aren't any user accounts you haven't added. Are you sure it isn't
being reinfected from another computer?

Andrew
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Linux Mint was hacked !!! 6
Hacked e-mail 0
I've been hacked 5
Email hacked 3
Games I've been playing lately and the state of things Chez Flops 3
HELP Is SYSTEM.EXE spyware or a rougue dial-up ? 2
csrss.exe and SYSTEM.EXE mysteries... 18
I've Been Hacked!!! 1

Top