I have a server running Server 2003 SBS, running IIS 6.
It has been hacked.
The hacker can create its own hidden user account, with admin rights
steal files, etc
I have deleted all users, change password, clean up registry,
tried patching and all sorts of methods to retify the hacked situation.
But the hacker can still login using user account not in system, as
administrator rights, turn on diabled services like telnet, remote, etc
In the event viewer , security
Successful Logon:
User Name: heng$
Domain: NS3
Logon ID: (0x0,0x98EDE8)
Logon Type: 2
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: NS3
Logon GUID: -
Caller User Name: NS3$
Caller Domain: WORKGROUP
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1500
Transited Services: -
Source Network Address: -
Source Port: -
Can anyone advise what is there that can be done to retify the hacked
situation
Or explain how the user login in the 1st place?
--
+-----[ SERVER SIGNATURE ]--------------------------
| Article posted via Web Developer's USENET Archive
|
http://www.1-script.com/forums/
| Web and RSS gateway to your favorite newsgroup -
| microsoft.public.windows.server.security
+---------------------------------------------------
Similar Threads
Linear Mode
