My server hacked...

A

Agustin Chernitsky

Hi guys,

It's seems that my server was/is hacked. I found an process (unknown to me)
running and finally I could trace it down to \recycler\mstemp\_tmp. Still, I
think the whole system is compromised. My server has about 100 sites running
IIS (SP4).

I would like to do a fresh install of this server, but I would like to
receive some suggestions, since:

1.- I need to move all IIS web sites to the new server
2.- The same with the user accounts created.

I have a backup (good for me), but I don't what to restore everything, since
I don't know when my system was compromised.

So, any suggestions? What's the best way to do this move? I am planning of
using a different new server to do the new install...

Thanks

A.
 
K

Karl Levinson [x y] mvp

A

Agustin

Hi Karl.

My reasons:

- C:\system volume information\mstemp\_tmp\svhost_light.exe
- C:\system volume information\mstemp\_tmp\sc5m.exe
- C:\system volume information\mstemp\_tmp\huge.dic

and the same for c:\recycler\...

I´m going to post another thing.. I know how they are loging in.

Thaks a lot for the links!

A.


Karl Levinson [x y] mvp said:
Posting the reasons why you think the server is compromised and why you
suspect the _tmp file is a good idea. It might not be compromised.

Determining how the server was compromised might be a good idea, unless you
want to install the server in exactly the same way with the same mistakes
and have it be compromised 30 minutes later. Here are some starters:

http://securityadmin.info/faq.asp#hacked
http://securityadmin.info/faq.asp#harden
http://www.cert.org/tech_tips


Hi guys,

It's seems that my server was/is hacked. I found an process (unknown to me)
running and finally I could trace it down to \recycler\mstemp\_tmp.
Click to expand...
Still,
I
think the whole system is compromised. My server has about 100 sites running
IIS (SP4).

I would like to do a fresh install of this server, but I would like to
receive some suggestions, since:

1.- I need to move all IIS web sites to the new server
2.- The same with the user accounts created.

I have a backup (good for me), but I don't what to restore everything, since
I don't know when my system was compromised.

So, any suggestions? What's the best way to do this move? I am planning of
using a different new server to do the new install...

Thanks

A.
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Linux Mint was hacked !!! 6
Hacked Site 18
Hacked 3
Server Hacked - Assessment and Prevention 5
Hacked windows server 3
Help on Hacked Server 1
Has my e-mail been hacked 1
Hacked -- FTP Server Running 18

Top