Well it only took a little over 2 years, but a hacker has
made my server one of the latest IRC servers. Has anybody
heard of a removal tool for mybot? FDisk is the only
solution I can think of, but thats also going to make
about a 40 hour plus installation. I have figured out how
the scanners got in, and have stopped that, now I'm left
with the remains of it. Any thoughts about a removal
process would certainly be well accepted..

To be honest, if I knew a server had been compromised, I'd back up the data
and rebuild it. No way to know what else got put on there. Why so long a
time estimate for installation? Do you have another server you can set up as
another domain controller in the meantime?

Gene Bryan wrote:
> Well it only took a little over 2 years, but a hacker has
> made my server one of the latest IRC servers. Has anybody
> heard of a removal tool for mybot? FDisk is the only
> solution I can think of, but thats also going to make
> about a 40 hour plus installation. I have figured out how
> the scanners got in, and have stopped that, now I'm left
> with the remains of it. Any thoughts about a removal
> process would certainly be well accepted..

I do have a secondary domain controller on line. This
system runs a retail outlet with 3 stores tagged on to the
primary domain controller to access the business system.
The buisness system and all other business related
programs represent about 20 gigs of data. Not to mention
the primary runs terminal services for the remote clients
to access the business system. And all the FSMO roles on
the primary would have to replicate to the secondary, etc,
etc, etc.. All this with no down time, I must have been
dreaming. A removal tool would be the ultimate, but
without that, FDisk is the only way.. This is going to
suck.. To all admin's, change your password frequently.
That has been my lesson here.

>-----Original Message-----
>To be honest, if I knew a server had been compromised,
I'd back up the data
>and rebuild it. No way to know what else got put on
there. Why so long a
>time estimate for installation? Do you have another
server you can set up as
>another domain controller in the meantime?
>
>Gene Bryan wrote:
>> Well it only took a little over 2 years, but a hacker
has
>> made my server one of the latest IRC servers. Has
anybody
>> heard of a removal tool for mybot? FDisk is the only
>> solution I can think of, but thats also going to make
>> about a 40 hour plus installation. I have figured out
how
>> the scanners got in, and have stopped that, now I'm left
>> with the remains of it. Any thoughts about a removal
>> process would certainly be well accepted..
>
>
>.
>

I'm assuming you've already tried McAfee and the host of
AV software? Trend Micro has a pretty good free online
scan. Have you already removed all references in the
registry?
>-----Original Message-----
>I do have a secondary domain controller on line. This
>system runs a retail outlet with 3 stores tagged on to
the
>primary domain controller to access the business system.
>The buisness system and all other business related
>programs represent about 20 gigs of data. Not to mention
>the primary runs terminal services for the remote
clients
>to access the business system. And all the FSMO roles on
>the primary would have to replicate to the secondary,
etc,
>etc, etc.. All this with no down time, I must have been
>dreaming. A removal tool would be the ultimate, but
>without that, FDisk is the only way.. This is going to
>suck.. To all admin's, change your password frequently.
>That has been my lesson here.
>
>>-----Original Message-----
>>To be honest, if I knew a server had been compromised,
>I'd back up the data
>>and rebuild it. No way to know what else got put on
>there. Why so long a
>>time estimate for installation? Do you have another
>server you can set up as
>>another domain controller in the meantime?
>>
>>Gene Bryan wrote:
>>> Well it only took a little over 2 years, but a hacker
>has
>>> made my server one of the latest IRC servers. Has
>anybody
>>> heard of a removal tool for mybot? FDisk is the only
>>> solution I can think of, but thats also going to make
>>> about a 40 hour plus installation. I have figured out
>how
>>> the scanners got in, and have stopped that, now I'm
left
>>> with the remains of it. Any thoughts about a removal
>>> process would certainly be well accepted..
>>
>>
>>.
>>
>.
>

I have run Stinger, ADaware, Spybot S&D, etc, the program
that was installed is messy, it's all in the system 32
files, I have contained it. Lucky for me, if there is any
luck with this, the DC has no DNS address assigned so the
intended program installed failed. Literely 100's of
addresses the DC was trying to resolve. This IRC pirating
is no laughing matter, if your not real familiar with XDCC
here is a link to a theuses written.
http://www.ncsu.edu/it/security/papers/EduHacking.html
I'v come to the conclusion that to wipe the hard drive on
the DC and move on is the procedure to clean up this mess.

>-----Original Message-----
>I'm assuming you've already tried McAfee and the host of
>AV software? Trend Micro has a pretty good free online
>scan. Have you already removed all references in the
>registry?
>>-----Original Message-----
>>I do have a secondary domain controller on line. This
>>system runs a retail outlet with 3 stores tagged on to
>the
>>primary domain controller to access the business system.
>>The buisness system and all other business related
>>programs represent about 20 gigs of data. Not to mention
>>the primary runs terminal services for the remote
>clients
>>to access the business system. And all the FSMO roles on
>>the primary would have to replicate to the secondary,
>etc,
>>etc, etc.. All this with no down time, I must have been
>>dreaming. A removal tool would be the ultimate, but
>>without that, FDisk is the only way.. This is going to
>>suck.. To all admin's, change your password frequently.
>>That has been my lesson here.
>>
>>>-----Original Message-----
>>>To be honest, if I knew a server had been compromised,
>>I'd back up the data
>>>and rebuild it. No way to know what else got put on
>>there. Why so long a
>>>time estimate for installation? Do you have another
>>server you can set up as
>>>another domain controller in the meantime?
>>>
>>>Gene Bryan wrote:
>>>> Well it only took a little over 2 years, but a hacker
>>has
>>>> made my server one of the latest IRC servers. Has
>>anybody
>>>> heard of a removal tool for mybot? FDisk is the only
>>>> solution I can think of, but thats also going to make
>>>> about a 40 hour plus installation. I have figured out
>>how
>>>> the scanners got in, and have stopped that, now I'm
>left
>>>> with the remains of it. Any thoughts about a removal
>>>> process would certainly be well accepted..
>>>
>>>
>>>.
>>>
>>.
>>
>.
>