Hacked Windows 2000 Server


I published this to a Windows Support group and have got zilch in the way of replies - this seems to be the best group I've found so far and am hoping someone may be able to help with this problem I have.

I have just patched up a client server after its security was compromised but have am unable to open the add/remove programs applet from the control panel. The mouse icon briefly flickers then does nothing. I don't really have the option of rebuilding this system so would really like to fix this.

This is a Windows 2000 Server running SP4 and IIS 5 - this hosts their website to the outside world and is most likely how the hackers got in.

The initial hack was in the form of r_server.exe running as a service, I've seen this before so know it's a form of remote control. The server also had a second service - qostcp... (I can't quite remember the exact name), this was listening on port 443 preventing their usual ssl site from working.

All this was pretty simple to clean off although I'd love to know the specifics on how they got them on there! The bit that is stumping me right now is the add/remove programs applet, I'm guessing they've (the hacker) locked this down somehow. I've tried re-registering related .dll files but have got nowhere.

If anyone has seen this problem or any ideas and can help with this it would be greatly appreciated. Also, if anyone knows more information on how they got the remote control on the server that would be really useful to have for securing this.

Kind regards Alastair

Reply to
Loading thread data ...

You don't have that option either. You cannot 'fix' a compromised system because you do not know exactly what unauthorised changes were made. The system should be considered compromised until such time as it has been rebuilt from trusted, original media while disconnected from the network. The system should then be hardened, and reconnected behind a properly configured firewall.


Reply to

Most likely it is insecure WEB applications developed by WEB programmers. I found out from some training that someone can hack right through a textbox control issuing commands to the O/S if the underlying parts of the application is not secure.

Don't they have server that you can rebuild and try to secure as much as possible? I wouldn't trust a compromised WEB server.

Duane :)

Reply to
Duane Arnold

Am Tue, 22 Nov 2005 16:23:00 -0800 schrieb Ali:

Doesn't work.

The is and never has never been no other fix for a compromised system than a complete rebuild. Stop whining, don't lose more time, start reinstalling the box *now*.


Reply to
Wolfgang Kueter

That'll be the program Radmin from

formatting link
Not a virus or trojan but a perfectly legit remote access program. Anyway, as others have said, don't patch. Rip it out, format and rebuild securely with a proper hardware firewall.

Reply to

We use RADMIN 2.1 on our networks for all machines and servers, it works well and has for years, but Symantec detects it as a trojan so we manually include an exception for it.

Reply to

Sounds about par for the course for Symantec ;-)

Reply to

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.