Hacked Windows 2000 Server

Hi,

I published this to a Windows Support group and have got zilch in the
way of replies - this seems to be the best group I've found so far and
am hoping someone may be able to help with this problem I have.

I have just patched up a client server after its security was
compromised but have am unable to open the add/remove programs applet
from the control panel. The mouse icon briefly flickers then does
nothing. I don't really have the option of rebuilding this system so
would really like to fix this.

This is a Windows 2000 Server running SP4 and IIS 5 - this hosts their
website to the outside world and is most likely how the hackers got in.

The initial hack was in the form of r_server.exe running as a service,
I've seen this before so know it's a form of remote control. The
server also had a second service - qostcp... (I can't quite remember
the exact name), this was listening on port 443 preventing their usual
ssl site from working.

All this was pretty simple to clean off although I'd love to know the
specifics on how they got them on there! The bit that is stumping me
right now is the add/remove programs applet, I'm guessing they've (the
hacker) locked this down somehow. I've tried re-registering related
.dll files but have got nowhere.

If anyone has seen this problem or any ideas and can help with this it
would be greatly appreciated. Also, if anyone knows more information
on how they got the remote control on the server that would be really
useful to have for securing this.

Kind regards
Alastair
Received on Sat Dec 3 04:17:58 2005