i'm being hacked! help!
 

i've got a friend's server at my place. (i'm babysitting...)

anyway. a couple of days ago he needed to connect to it and asked me to open the SQLServer port (1433). so i do.

i come home today, browsing through the server and find the "ServUDaemon" process running, along with other malware.

i've been scouring the net trying to find a way to get rid of this thing.

i ran spybot... it detected "hellz little spy" (a keystroke logger). i fixed it, but i'm not sure if it's gone for sure.

i CAN'T kill the ServUDaemon process. it tells me i don't have the rights (even as an administrator)....

i've gone through and deleted a few of the files manually.

currently running housecall. it detected and cleaned the agobot worm. still waiting for more shit.

anyway, i'd appreciate some help. i had a shitty day and this is just more shit icing on the shit cake.

oh, i closed the sql port on my router, so hopefully it can't get past that. all other services (except http) are disabled... (the server hosts some small webpages).

Do you have backups of all your important shit? If you do then wipe the drives. Last resort I know but keep it in mind.

nothing very important, and yes, that'll be a last resort.

this is a friend's server.... its been hacked before due to him not patching (and caught the SQL Slammer worm).

i did manage to kill the ServU process via the "services.msc" panel. i deleted the .exe files associated and fucked with the configuration files (.ini) to change the cracker's passwords and shit.

it's pretty scary stuff. i guess once this shit's running, you can remotely monitor stuff via the web. you can even search out the infected machines by looking up this file:

|rwamelcdp

serv-u is apparently "legit" ftp software just used crack machines and set up all kinds of shit.

I used Serv-U awhile back while ftping my xbox. By setting up a server with it (or something like that), I was supposed to get better speeds. Didn't work too well so I trashed the program.

it's impossible to determine the extent of damage that's been done. you can try and go through and patch it up as well as you can, but the problem is there's always the possibility you missed a tiny thing, and that's all it takes.

a clever hacker would put in registry entries to redo anything you do, as well as put in several backdoors and ways to access the system. anytime you reboot the machine you could be executing a sequence that will reopen the doors.

your SAFEST bet is to back everything up, and do a reinstall. that way you're sure you've gotten everything.

personally, this would be my FIRST resort. i consider myself adept at cleaning machines, but even i know that i'm not good enough to catch everything. so i know there's a likely probability i'd miss smething. i'd clean it up as best i can only if if there was a really good reason i shouldn't start from scratch.

I don't suppose you're using a wireless lan, are you?

servU is an awesome FTP program, I couldn't live without it.

that said, what you figured out, killing the process through services.msc was the only way to stop the service.

my guess is that someone had a lot of skill, or someone physically got their hands on the box, because servU isn't part of any spyware/malware that I'm aware of. If you think it was, you might want to do a good deed and contact rhinosoft to let them konw what you went through.

(church) not on a wireless lan.

(mikec) i guess it would be someone with skill because no one would have physical access to the computer.

i've checked to see if the system was missing any patches... there was only one that it was lacking, the newest "fix" for the ADODB thing.

it's now fully patched.

i finished running housecall and other than picking up "agobot" as i mentioned earlier, it found nothing.

since disconnecting the machine's ftp, and sql port services, i've been checking my router logs and there seems to be this one IP that is probing every single port (i guess trying to get back in).

i've run "shield's up" at grc.com and other than port 80 being open, it says i'm fine.

ideas...?

it doesn't actually take that much "skill" to install it. there are several trojans that will give a remote user even more control over the desktop than a local user.

back orifice and netbus come to mind. they'll let you transfer files and execute them. hell they'll let you control the mouse, open the cd-rom, record keystrokes, install/uninstall programs, etc.