PDA

View Full Version : been hacked, tlntsvr.exe cannot be shutdown

Jerry
Hi,

I found 27 Gig of movies and games on my server today.
I was able to expunge them, although they were very
sneaky and clever about changing ownership and
permissions (they were hidden in RECYCLER folder).

But after running AV software and updating Win2k Server
to SP4, all latest updates, I still see a connection in
netstat that looks like hackers (note poland url) and
cannot stop tlntsrv.exe (telnet services manager opens
window, which immediately shuts...denied access from task
manager).

Any idea how to kick out the intruder?

Active Connections

Proto Local Address Foreign Address
State
TCP chinabilling2:microsoft-ds
dpc691943014.direcpc.com:33744 ESTABLISHED

TCP chinabilling2:microsoft-ds host45-
168.pool80181.interbusiness.it:4073
ESTABLISHED
TCP chinabilling2:microsoft-ds
beg251.neoplus.adsl.tpnet.pl:3118 ESTABLIS
HED

TCP chinabilling2:2121 pD9EE0561.dip0.t-
ipconnect.de:3962 ESTABLISHED

TCP chinabilling2:6620 pD9EE0561.dip0.t-
ipconnect.de:4110 TIME_WAIT
TCP chinabilling2:6620 pD9EE0561.dip0.t-
ipconnect.de:4124 TIME_WAIT
TCP chinabilling2:6621
ACB59020.ipt.aol.com:2921 ESTABLISHED
TCP chinabilling2:6621 pD9EE0561.dip0.t-
ipconnect.de:3918 ESTABLISHED
TCP chinabilling2:6621 pD9EE0561.dip0.t-
ipconnect.de:3922 ESTABLISHED
TCP chinabilling2:6621 pD9EE0561.dip0.t-
ipconnect.de:3970 ESTABLISHED
TCP chinabilling2:6621 pD9EE0561.dip0.t-
ipconnect.de:3989 ESTABLISHED
chinabilling2.POP.local:microsoft-ds TIME_WAIT

Jerry
BeamGuy
The only reliable method is to rebuild your system from scratch.
It could also be the fastest - since poking around trying to figure
out all that they have done can take quite some time, and still
leave you open. They likely installed several routes into your
system.
-sorry.


"Jerry" wrote in message news:16e101c499cf$6d614df0$a501280a@phx.gbl...
> Hi,
>
> I found 27 Gig of movies and games on my server today.
> I was able to expunge them, although they were very
> sneaky and clever about changing ownership and
> permissions (they were hidden in RECYCLER folder).
>
> But after running AV software and updating Win2k Server
> to SP4, all latest updates, I still see a connection in
> netstat that looks like hackers (note poland url) and
> cannot stop tlntsrv.exe (telnet services manager opens
> window, which immediately shuts...denied access from task
> manager).
>
> Any idea how to kick out the intruder?
>
> Active Connections
>
> Proto Local Address Foreign Address
> State
> TCP chinabilling2:microsoft-ds
> dpc691943014.direcpc.com:33744 ESTABLISHED
>
> TCP chinabilling2:microsoft-ds host45-
> 168.pool80181.interbusiness.it:4073
> ESTABLISHED
> TCP chinabilling2:microsoft-ds
> beg251.neoplus.adsl.tpnet.pl:3118 ESTABLIS
> HED
>
> TCP chinabilling2:2121 pD9EE0561.dip0.t-
> ipconnect.de:3962 ESTABLISHED
>
> TCP chinabilling2:6620 pD9EE0561.dip0.t-
> ipconnect.de:4110 TIME_WAIT
> TCP chinabilling2:6620 pD9EE0561.dip0.t-
> ipconnect.de:4124 TIME_WAIT
> TCP chinabilling2:6621
> ACB59020.ipt.aol.com:2921 ESTABLISHED
> TCP chinabilling2:6621 pD9EE0561.dip0.t-
> ipconnect.de:3918 ESTABLISHED
> TCP chinabilling2:6621 pD9EE0561.dip0.t-
> ipconnect.de:3922 ESTABLISHED
> TCP chinabilling2:6621 pD9EE0561.dip0.t-
> ipconnect.de:3970 ESTABLISHED
> TCP chinabilling2:6621 pD9EE0561.dip0.t-
> ipconnect.de:3989 ESTABLISHED
> chinabilling2.POP.local:microsoft-ds TIME_WAIT
>
> Jerry


Dave
step 1: unplug the network cable or phone line
step 2: format C:
step 3: reinstall, do all patches, install firewall, install av.
step 4: reconnect to internet and resume normal operation

"Jerry" wrote in message
news:16e101c499cf$6d614df0$a501280a@phx.gbl...
> Hi,
>
> I found 27 Gig of movies and games on my server today.
> I was able to expunge them, although they were very
> sneaky and clever about changing ownership and
> permissions (they were hidden in RECYCLER folder).
>
> But after running AV software and updating Win2k Server
> to SP4, all latest updates, I still see a connection in
> netstat that looks like hackers (note poland url) and
> cannot stop tlntsrv.exe (telnet services manager opens
> window, which immediately shuts...denied access from task
> manager).
>
> Any idea how to kick out the intruder?
>
> Active Connections
>
> Proto Local Address Foreign Address
> State
> TCP chinabilling2:microsoft-ds
> dpc691943014.direcpc.com:33744 ESTABLISHED
>
> TCP chinabilling2:microsoft-ds host45-
> 168.pool80181.interbusiness.it:4073
> ESTABLISHED
> TCP chinabilling2:microsoft-ds
> beg251.neoplus.adsl.tpnet.pl:3118 ESTABLIS
> HED
>
> TCP chinabilling2:2121 pD9EE0561.dip0.t-
> ipconnect.de:3962 ESTABLISHED
>
> TCP chinabilling2:6620 pD9EE0561.dip0.t-
> ipconnect.de:4110 TIME_WAIT
> TCP chinabilling2:6620 pD9EE0561.dip0.t-
> ipconnect.de:4124 TIME_WAIT
> TCP chinabilling2:6621
> ACB59020.ipt.aol.com:2921 ESTABLISHED
> TCP chinabilling2:6621 pD9EE0561.dip0.t-
> ipconnect.de:3918 ESTABLISHED
> TCP chinabilling2:6621 pD9EE0561.dip0.t-
> ipconnect.de:3922 ESTABLISHED
> TCP chinabilling2:6621 pD9EE0561.dip0.t-
> ipconnect.de:3970 ESTABLISHED
> TCP chinabilling2:6621 pD9EE0561.dip0.t-
> ipconnect.de:3989 ESTABLISHED
> chinabilling2.POP.local:microsoft-ds TIME_WAIT
>
> Jerry


Steven L Umbach
It does not look like you are using a firewall. You need to run a properly configured
firewall that ideally can block all outbound access except that which is authorized
by port, protocol, IP address, and application [software firewall capability]. You
could install Sygate firewall today and try it free for thirty days until you decide
on a firewall solution. Run Microsoft Baseline Security Analyzer on your computer to
make sure unneeded services are shut down and try another virus scan program and a
dedicate trojan removal program. The links below are for a free produce from Trend
Micro that will scan for and remove many command malwares. Download into a folder and
execute from there.

http://www.microsoft.com/technet/security/tools/mbsahome.mspx
http://www.trendmicro.com/download/dcs.asp
http://www.trendmicro.com/download/pattern.asp
http://smb.sygate.com/products/spf_pro.htm --- Sygate Pro

You really should consider rebuilding your computer and taking steps to prevent this
again. The link below explains why. --- Steve

http://www.microsoft.com/technet/community/columns/secmgmt/default.mspx
http://www.microsoft.com/technet/security/chklist/w2ksvrcl.mspx -- security
checklist for server.


"Jerry" wrote in message
news:16e101c499cf$6d614df0$a501280a@phx.gbl...
> Hi,
>
> I found 27 Gig of movies and games on my server today.
> I was able to expunge them, although they were very
> sneaky and clever about changing ownership and
> permissions (they were hidden in RECYCLER folder).
>
> But after running AV software and updating Win2k Server
> to SP4, all latest updates, I still see a connection in
> netstat that looks like hackers (note poland url) an(telnet services manager opens
> window, which immediately shuts...denied access from task
> manager).
>
> Any idea how to kick out the intruder?
>
> Active Connections
>
> Proto Local Address Foreign Address
> State
> TCP chinabilling2:microsoft-ds
> dpc691943014.direcpc.com:33744 ESTABLISHED
>
> TCP chinabilling2:microsoft-ds host45-
> 168.pool80181.interbusiness.it:4073
> ESTABLISHED
> TCP chinabilling2:microsoft-ds
> beg251.neoplus.adsl.tpnet.pl:3118 ESTABLIS
> HED
>
> TCP chinabilling2:2121 pD9EE0561.dip0.t-
> ipconnect.de:3962 ESTABLISHED
>
> TCP chinabilling2:6620 pD9EE0561.dip0.t-
> ipconnect.de:4110 TIME_WAIT
> TCP chinabilling2:6620 pD9EE0561.dip0.t-
> ipconnect.de:4124 TIME_WAIT
> TCP chinabilling2:6621
> ACB59020.ipt.aol.com:2921 ESTABLISHED
> TCP chinabilling2:6621 pD9EE0561.dip0.t-
> ipconnect.de:3918 ESTABLISHED
> TCP chinabilling2:6621 pD9EE0561.dip0.t-
> ipconnect.de:3922 ESTABLISHED
> TCP chinabilling2:6621 pD9EE0561.dip0.t-
> ipconnect.de:3970 ESTABLISHED
> TCP chinabilling2:6621 pD9EE0561.dip0.t-
> ipconnect.de:3989 ESTABLISHED
> chinabilling2.POP.local:microsoft-ds TIME_WAIT
>
> Jerry


Jerry
Thanks, especially to Steven.
Jerry




>-----Original Message-----
>Hi,
>
>I found 27 Gig of movies and games on my server today.
>I was able to expunge them, although they were very
>sneaky and clever about changing ownership and
>permissions (they were hidden in RECYCLER folder).
>
>But after running AV software and updating Win2k Server
>to SP4, all latest updates, I still see a connection in
>netstat that looks like hackers (note poland url) and
>cannot stop tlntsrv.exe (telnet services manager opens
>window, which immediately shuts...denied access from
task
>manager).
>
>Any idea how to kick out the intruder?
>
>Active Connections
>
> Proto Local Address Foreign Address
>State
> TCP chinabilling2:microsoft-ds
>dpc691943014.direcpc.com:33744 ESTABLISHED
>
> TCP chinabilling2:microsoft-ds host45-
>168.pool80181.interbusiness.it:4073
> ESTABLISHED
> TCP chinabilling2:microsoft-ds
>beg251.neoplus.adsl.tpnet.pl:3118 ESTABLIS
>HED
>
> TCP chinabilling2:2121 pD9EE0561.dip0.t-
>ipconnect.de:3962 ESTABLISHED
>
> TCP chinabilling2:6620 pD9EE0561.dip0.t-
>ipconnect.de:4110 TIME_WAIT
> TCP chinabilling2:6620 pD9EE0561.dip0.t-
>ipconnect.de:4124 TIME_WAIT
> TCP chinabilling2:6621
>ACB59020.ipt.aol.com:2921 ESTABLISHED
> TCP chinabilling2:6621 pD9EE0561.dip0.t-
>ipconnect.de:3918 ESTABLISHED
> TCP chinabilling2:6621 pD9EE0561.dip0.t-
>ipconnect.de:3922 ESTABLISHED
> TCP chinabilling2:6621 pD9EE0561.dip0.t-
>ipconnect.de:3970 ESTABLISHED
> TCP chinabilling2:6621 pD9EE0561.dip0.t-
>ipconnect.de:3989 ESTABLISHED
> chinabilling2.POP.local:microsoft-ds TIME_WAIT
>
>Jerry
>.
>