Jim Lawrence
accessd at shaw.ca
Sun Oct 30 20:18:13 CST 2005
OT: I would normally not post this item here but I am not sure where I would find a more experience group. It appears that one of my servers has been hacked. :-( The first indication is, and it may be unrelated, is that one of my FTP directories that I have used for unloading and downloading files into has a 'Locked' directory in it. It is real simple to do this; and do not try it! make a directory like: \temp\o0oKARo0o\here\ and then rename like this: \com1*\o0oKaro0o\here\ (*=space) Does anyone here know how to get rid of the thing? The second indication is that a subnet, even though that all the computers hung off it have been disconnected; there was a lot of activity on that IP address logged. The intruder was tracked as far as an ISP in the states but could be followed no further. According to his 'Webmin', Chinese is his first language and his OS of choice is LINUX. No more information could be gathered. He has not been able to access the administration account as there were a number of failed attempts logged while trying to change passwords. All the account passwords change regularly and are of a sufficient complexity (over 6 characters, mixture of upper and lower case, mixture of letters and numbers and must have at least one special character.) but still have no idea how access was attained. The computer is an advanced Windows2000 server, with latest updates, even though all mail goes through it does not have the capacity to send mail directly other then through PHP and ASP, has a MS SQL server but its ports are closed. It does have IIS running but none of the web sites are writable. Any help would be greatly appreciated. MTIA Jim