Brad, Have you tried removing all the root web virtual directories for MSADC and Scripts? These are generally not used for anything you�d be doing (especially given that you�re doing Witango stuff rather than ASP). I see a lot of suspicious entries in log files and know that that is a place where a lot of hacking attempts start on Windows servers.
Also, check the TechRepublic site � I�ve found that to be a pretty good reference. (http://www.techrepublic.com) Jason One other remote control app to check for: VNC - it functions like PCAnywhere. On 6/15/02 2:14 PM, "Brad Robertson" <[EMAIL PROTECTED]> wrote: > Sorry for the OT subject, but I am at such a lost of ideas... Someone or > somegroup has taken over a client's server, whether it's backoraffice or some > kind of remote management tool, they have complete control of the mouse, > keyboard, and system when they login and they running all kinds of services, > changed the mailserver software a couple times, and installed a bunch of apps. > I have caught them on the box a couple times by sitting on PCAnywhere and > waiting for them to start working, and they are very ballsie, I have to fight > for mouse control. The box is running WinNT 4.0 SP6a, IE 6, and all current > patches. Norton is up to date and only has found the KLEZ virus but nothing > else. The following are some apps I found and removed but they are still > getting on; > > > ncx99.exe > tftp.exe > root.exe > winlogin.exe > hidewidows.exe > printhack.exe > Analogx > > Norton Quarratined the following; > temp.exe > spool.exe > install.exe > SQLExec.exe > > SQL Exploit Monitor (can't find exe file) but saw them using it.. > > > These files were in many locations and I think I got them all, but they are > still getting into the box and I have no clue what to do next. > > > > =========================================================== > Confidentiality Notice > This message is intended exclusively for the individual or entity to which > it is addressed. This communication may contain information that is > proprietary, privileged, or confidential or that is otherwise legally > protected from disclosure. If you are not the named addressee, you are not > authorized to read, print, retain, copy or disseminate this message or any > part of it. If you have received this message in error, please notify the > sender immediately by e-mail and delete all copies of the message. > =========================================================== > -- ____________________________________________________________________ Jason Pamental, President [EMAIL PROTECTED] Bathysphere Digital Media Services, Inc. http://bathyspheredms.com ____________________________________________________________________ Tel: 401.490.6830 Fax: 401.490.6831 ________________________________________ ________________________________________________________________________ TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] with unsubscribe witango-talk in the message body
