Win2k machine hacked with Serv-U FTP etc

[JM]

My father's Win2k machine has been hacked. Saturday he called me in a
panic, and when I got to his house I could see why. There were windows
opened all over his desktop (I will upload screenshots to my web server if
it will help), a command window starting the Serv-U FTP service and checking
ipconfig settings, a web browser opened to his router with a service started
on port 333, a shortcut to an app, and the 2000 services and computer
mngment window.

I'm not familiar enough with 2000 to know how to investigate exactly what
happened. What I'm more interested in is where to go from here. My gut
tells me to immediately backup all his important files, reformat, reinstall,
and set him up with improved security measures. I also think a call to his
cc companies are in order, as well as changing all passwords to all
accounts, websites, etc.

What were the hacker's main purpose?

Please advise me in other ways. I'm not interested in finding fault with
how he had things set up, other than to learn from his mistakes. While he's
not a computer expert, he's not a newbie either.

thank you,

wjm

 

[JM]

more info:

Evidently, he made a newbie decision: he told me he "might have" clicked on
the app shortcut on the desktop, because he remembers a bunch of icons
appearing on the desktop for a few seconds and then disappearing.

Did he execute a destructive program?

wjm

 

[Roger Abell [MVP]]

My father's Win2k machine has been hacked. Saturday he called me in a
panic, and when I got to his house I could see why. There were windows
opened all over his desktop (I will upload screenshots to my web server if
it will help), a command window starting the Serv-U FTP service and
checking
ipconfig settings, a web browser opened to his router with a service
started
on port 333, a shortcut to an app, and the 2000 services and computer
mngment window.

I'm not familiar enough with 2000 to know how to investigate exactly what
happened. What I'm more interested in is where to go from here. My gut
tells me to immediately backup all his important files, reformat,
reinstall,
and set him up with improved security measures. I also think a call to
his
cc companies are in order, as well as changing all passwords to all
accounts, websites, etc.

I would recommend that you go with your gut as outlined.
Whether he did anything after infestation that might have exposed
such as cc numbers or whether they were stored anywhere you do
need to assess - but keep in mind infestation may have been long
ago with the symptoms now seen only result of calling home with
what had been gathered.
I am sure you already have, but disconnect wires to the world, and
scan the backed-up data every way short of useless overkill.

 

[Karl Levinson]

Possible, but doubtful. More likely his computer was attacked from the
outside, and he did not have a firewall enabled, and also may have been
missing some security patches.

This is relatively common, and usually the people doing such FTP tagging /
pubstro hacks have little interest in looking at anything on the computer.
The purpose is to use the bandwidth and disk space of the computer to serve
up illicit and possibly commercially valuable files such as ripped DVD
movies, games, pornography, software, etc. Usually, old and well-known
remote network vulnerabilities are exploited to gain access. Google for the
terms FTP tagging and/or pubstro if you want more information about motive.
Wikipedia probably has a good article on the subject. [It is entirely
possible that other attackers also accessed and used the computer for
different purposes, but the purposes are most often financial.]

I agree that unless you already know what to do in response, a format and
reinstall is probably the easiest response, although be sure a firewall is
enabled before putting it onto the Internet, and that the next step is to
download all service packs and patches from Microsoft, rebooting several
times to get all the patches.

Watching your monthly credit card statements for unexpected activity is
always a good idea, hacking or no.

 

[JM]

thank you.

if the computer was used for distribution of content, where are the files?

jm

Possible, but doubtful. More likely his computer was attacked from the
outside, and he did not have a firewall enabled, and also may have been
missing some security patches.

This is relatively common, and usually the people doing such FTP tagging /
pubstro hacks have little interest in looking at anything on the computer.
The purpose is to use the bandwidth and disk space of the computer to serve
up illicit and possibly commercially valuable files such as ripped DVD
movies, games, pornography, software, etc. Usually, old and well-known
remote network vulnerabilities are exploited to gain access. Google for the
terms FTP tagging and/or pubstro if you want more information about motive.
Wikipedia probably has a good article on the subject. [It is entirely
possible that other attackers also accessed and used the computer for
different purposes, but the purposes are most often financial.]

I agree that unless you already know what to do in response, a format and
reinstall is probably the easiest response, although be sure a firewall is
enabled before putting it onto the Internet, and that the next step is to
download all service packs and patches from Microsoft, rebooting several
times to get all the patches.

Watching your monthly credit card statements for unexpected activity is
always a good idea, hacking or no.

more info:

Evidently, he made a newbie decision: he told me he "might have" clicked
on
the app shortcut on the desktop, because he remembers a bunch of icons
appearing on the desktop for a few seconds and then disappearing.

Did he execute a destructive program?

 

[Karl Levinson]

It's possible the files were never put on there for some reason. They could
be anywhere. They could be in a folder that you cannot see or access using
Windows Explorer due to using reserved folder names disallowed in Windows
Explorer, such as "COM1." Such folders can often be seen and deleted, once
you know where they are, by using DIR /X at a command prompt to get the
short 8.3 file name, and use that to delete it. You may need to take
ownership of the folder and grant yourself permissions first, and it may be
necessary to do this at the command prompt using the short 8.3 folder name
as well. The folder could also be in the hidden c:\system volume
information\ folder. The first thing I would be looking at is the amount of
free disk space, to see if you are missing a gigabyte or several.

thank you.

if the computer was used for distribution of content, where are the files?

jm

Possible, but doubtful. More likely his computer was attacked from the
outside, and he did not have a firewall enabled, and also may have been
missing some security patches.

This is relatively common, and usually the people doing such FTP tagging
/
pubstro hacks have little interest in looking at anything on the
computer.
The purpose is to use the bandwidth and disk space of the computer to serve
up illicit and possibly commercially valuable files such as ripped DVD
movies, games, pornography, software, etc. Usually, old and well-known
remote network vulnerabilities are exploited to gain access. Google for the
terms FTP tagging and/or pubstro if you want more information about motive.
Wikipedia probably has a good article on the subject. [It is entirely
possible that other attackers also accessed and used the computer for
different purposes, but the purposes are most often financial.]

I agree that unless you already know what to do in response, a format and
reinstall is probably the easiest response, although be sure a firewall
is
enabled before putting it onto the Internet, and that the next step is to
download all service packs and patches from Microsoft, rebooting several
times to get all the patches.

Watching your monthly credit card statements for unexpected activity is
always a good idea, hacking or no.

more info:

Evidently, he made a newbie decision: he told me he "might have" clicked
on
the app shortcut on the desktop, because he remembers a bunch of icons
appearing on the desktop for a few seconds and then disappearing.

Did he execute a destructive program?

My father's Win2k machine has been hacked. Saturday he called me in a
panic, and when I got to his house I could see why. There were
windows
opened all over his desktop (I will upload screenshots to my web
server
if
it will help), a command window starting the Serv-U FTP service and
checking
ipconfig settings, a web browser opened to his router with a service
started
on port 333, a shortcut to an app, and the 2000 services and computer
mngment window.

I'm not familiar enough with 2000 to know how to investigate exactly what
happened. What I'm more interested in is where to go from here. My gut
tells me to immediately backup all his important files, reformat,
reinstall,
and set him up with improved security measures. I also think a call
to
his
cc companies are in order, as well as changing all passwords to all
accounts, websites, etc.

What were the hacker's main purpose?

Please advise me in other ways. I'm not interested in finding fault with
how he had things set up, other than to learn from his mistakes.
While
he's
not a computer expert, he's not a newbie either.