Major Windows Server Problem__Help !!

Hi , i have a major problem with my windows 2000 server sp4 with mcafee 8.5..
Seems that something like a trojan/rootkit has been installed and exploited the svchost.exe process ..It forces it to contact with some internet servers opening the ports between 3000 and 4999...
I used the Active ports utility and it seems that these ports remain in the Close_wait state forever resulting in a slow performane and a Denial Of service in the network..
I also used mcafee instrusion detection and buffer overflow detection keeps detecting something like c:/winnt/system32/svchost.exe:kernel32.LoadLibraryA BO:writable bo:heap or c:/winnt/system32/svchost.exe:WS2_32.Socket BO:writable bo:heap .
Any help provided would be noticed as we are desperated!!!!

 

Dunno whats the role of your server, but....

When a server gets compromised, first of all, unplug it from the net, second, I learned its way better to wipe it clean with 0's and start fresh, last thing you want is your box turned into an irc server streaming kiddie porn or latest warez releases

If you dont want to wipe/reinstall, start grabbing some rootkit revealers, 2 or 3 different antivirus, some antispywares, fully scan the box with everything you find and also install a firewall

Good luck

 

My server is a domain server windows domain and also fileserver for a web based database.The web server is another computer dedicated to iis.what do you prepose as a rootkit revealer??Are you aware of a particular species of rootkit that might have invaded in my server?formatting is not an option right now...

 

Your best bet is to seek help at some dedicated HijackThis forum, of which there are many.
If you think your server is rootkitted, you might want to check out CastleCops forums. But you have to start at thier HJT forum first and they will refer you to the Rootkit forum if they suspect a rootkit, you have to be patient though ...
- CatleCops HJT forum (Read the sticky post first)
- CastleCops Rootkit Revelations forum