Bots

TheMSsForum.com: The Microsoft Software Forum

I had an attack on my WIN2K Server recently. I have removed most of the
files except there are three bot files: (mybot.log, mybot.xdcc,
mybot.xdcc.bkup) which I can not delete. How can I get rid of them?

Also, I have a TCP Connection that I want to get rid of. How would I do
that? It appears to have been tied to an IRC Services. using Port 5631
Top

Re: Bots by Karl

Karl
Tue Jul 22 10:35:41 CDT 2003

We'd need to know why you can't remove them. Is there an error message?
Are you sure you found and removed everything? Actually, let me answer that
last question for you: you can't be sure of that, ever, unless you format
and reinstall windows and everything else. However, doing this is optional
and is up to you.

This is not the sort of thing where you want to learn as you go, but you
can try doing it yourself if you prefer. I woudl be checking firewall logs
to try to track down where this came from and what other devices might have
been affected. If you have no firewall, you need one, there are even free
ones. Before you think about formatting, I'd also want to first determine
what was done and how so that I could close that particular vulnerability
and others, or else you'll be hacked again in a minute using the same
vulnerability. Here's a start:

http://securityadmin.info/faq.htm#hacked [for example, fport from
www.foundstone.com/knowedge may help find what file is keeping that port
open]

http://securityadmin.info/faq.htm#re-secure
http://securityadmin.info/faq.htm#harden

Because that port is open, it sounds like your server is still hacked.
Someone could be remotely controlling it right now. Unplugging the network
cable immediately may be something to consider. If and when you follow the
instructions above to look for signs of hacking, keep in mind that windows
root kits can hide files, registry entries and services from you when you're
logged in locally. Using another computer on the network to attach, run an
antivirus scan, inspect the registry and installed services, etc. may be
helpful if there is any suspicion that a windows root kit may be installed.

If you find anything interesting out or need additional help, let us know.


"Bill Fry" <bill.fry@attbi.com> wrote in message
news:uh4ctmFUDHA.1912@tk2msftngp13.phx.gbl...
> I had an attack on my WIN2K Server recently. I have removed most of the
> files except there are three bot files: (mybot.log, mybot.xdcc,
> mybot.xdcc.bkup) which I can not delete. How can I get rid of them?
>
> Also, I have a TCP Connection that I want to get rid of. How would I do
> that? It appears to have been tied to an IRC Services. using Port 5631
>
>


Top