Major Windows Server Problem__Help !!

Discussion in 'malware problems & news' started by jimmas, Oct 29, 2007.

Thread Status:
Not open for further replies.
  1. jimmas

    jimmas Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    2
    Hi , i have a major problem with my windows 2000 server sp4 with mcafee 8.5..
    Seems that something like a trojan/rootkit has been installed and exploited the svchost.exe process ..It forces it to contact with some internet servers opening the ports between 3000 and 4999...
    I used the Active ports utility and it seems that these ports remain in the Close_wait state forever resulting in a slow performane and a Denial Of service in the network..
    I also used mcafee instrusion detection and buffer overflow detection keeps detecting something like c:/winnt/system32/svchost.exe:kernel32.LoadLibraryA BO:writable bo:heap or c:/winnt/system32/svchost.exe:WS2_32.Socket BO:writable bo:heap .
    Any help provided would be noticed as we are desperated!!!!
     
  2. OldMX

    OldMX Registered Member

    Joined:
    Sep 1, 2005
    Posts:
    170
    Dunno whats the role of your server, but....

    When a server gets compromised, first of all, unplug it from the net, second, I learned its way better to wipe it clean with 0's and start fresh, last thing you want is your box turned into an irc server streaming kiddie porn or latest warez releases :(

    If you dont want to wipe/reinstall, start grabbing some rootkit revealers, 2 or 3 different antivirus, some antispywares, fully scan the box with everything you find and also install a firewall :D

    Good luck
     
  3. jimmas

    jimmas Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    2
    My server is a domain server windows domain and also fileserver for a web based database.The web server is another computer dedicated to iis.what do you prepose as a rootkit revealer??Are you aware of a particular species of rootkit that might have invaded in my server?formatting is not an option right now...
     
  4. Nubiatech

    Nubiatech Registered Member

    Joined:
    Aug 19, 2007
    Posts:
    50
    Location:
    IL, USA
    Your best bet is to seek help at some dedicated HijackThis forum, of which there are many.
    If you think your server is rootkitted, you might want to check out CastleCops forums. But you have to start at thier HJT forum first and they will refer you to the Rootkit forum if they suspect a rootkit, you have to be patient though ...
    - CatleCops HJT forum (Read the sticky post first)
    - CastleCops Rootkit Revelations forum
     
Loading...
Thread Status:
Not open for further replies.