Server Hacked Logon Type 2

Discussion in 'Server Security' started by jeffhsu, Mar 13, 2011.

  1. jeffhsu

    jeffhsu Guest

    I have a server running Server 2003 SBS, running IIS 6.
    It has been hacked.
    The hacker can create its own hidden user account, with admin rights
    steal files, etc
    I have deleted all users, change password, clean up registry,
    tried patching and all sorts of methods to retify the hacked situation.

    But the hacker can still login using user account not in system, as
    administrator rights, turn on diabled services like telnet, remote, etc

    In the event viewer , security

    Successful Logon:
    User Name: heng$
    Domain: NS3
    Logon ID: (0x0,0x98EDE8)
    Logon Type: 2
    Logon Process: Advapi
    Authentication Package: Negotiate
    Workstation Name: NS3
    Logon GUID: -
    Caller User Name: NS3$
    Caller Domain: WORKGROUP
    Caller Logon ID: (0x0,0x3E7)
    Caller Process ID: 1500
    Transited Services: -
    Source Network Address: -
    Source Port: -


    Can anyone advise what is there that can be done to retify the hacked
    situation
    Or explain how the user login in the 1st place?



    --
    +-----[ SERVER SIGNATURE ]--------------------------
    | Article posted via Web Developer's USENET Archive
    | http://www.1-script.com/forums/
    | Web and RSS gateway to your favorite newsgroup -
    | microsoft.public.windows.server.security
    +---------------------------------------------------
     
    jeffhsu, Mar 13, 2011
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.