Try looking on the logs at the ports for a BACKDOOR program: the latest four or five - wild in just the last week, are:
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.ultor.html http://securityresponse.symantec.com/avcenter/venc/data/backdoor.dewin.html http://securityresponse.symantec.com/avcenter/venc/data/backdoor.nota.html http://securityresponse.symantec.com/avcenter/venc/data/backdoor.crat.html http://securityresponse.symantec.com/avcenter/venc/data/backdoor.ftp_bmail. html and more! Stephen >Sorry for the OT subject, but I am at such a lost of ideas... Someone or >somegroup has taken over a client's server, whether it's backoraffice or >some kind of remote management tool, they have complete control of the >mouse, keyboard, and system when they login and they running all kinds of >services, changed the mailserver software a couple times, and installed a >bunch of apps. I have caught them on the box a couple times by sitting on >PCAnywhere and waiting for them to start working, and they are very >ballsie, I have to fight for mouse control. The box is running WinNT 4.0 >SP6a, IE 6, and all current patches. Norton is up to date and only has >found the KLEZ virus but nothing else. The following are some apps I >found and removed but they are still getting on; > > >ncx99.exe >tftp.exe >root.exe >winlogin.exe >hidewidows.exe >printhack.exe >Analogx > >Norton Quarratined the following; >temp.exe >spool.exe >install.exe >SQLExec.exe > >SQL Exploit Monitor (can't find exe file) but saw them using it.. > > >These files were in many locations and I think I got them all, but they >are still getting into the box and I have no clue what to do next. > > > >=========================================================== >Confidentiality Notice >This message is intended exclusively for the individual or entity to which >it is addressed. This communication may contain information that is >proprietary, privileged, or confidential or that is otherwise legally >protected from disclosure. If you are not the named addressee, you are not >authorized to read, print, retain, copy or disseminate this message or any >part of it. If you have received this message in error, please notify the >sender immediately by e-mail and delete all copies of the message. >=========================================================== > ________________________________________________________________________ TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] with unsubscribe witango-talk in the message body
