My Win2K server has been hacked!

I just discovered that someone hacked into my Windows 2000 server and used it for the last 2 weeks to load media files into hidden directories in the RECYCLER directory and serve them up using Windows Media Service. The hacker(s) also installed 2 Terminal Services-like programs, DameWare and VNC, as well as Serv-U FTP software.

We use the system as a web server (IIS), and we get to it through Terminal Services and IIS's FTP server. There are only about 10 user accounts defined on the system, all of which have passwords. We run Windows Update every few weeks to install any patches Microsoft distributes.

When I first set up the server (which is hosted at Hostway), I ran URL Scan and Lockdown. I disabled anonymous FTP access to IIS. I thought that would be good enough to keep intruders out, but it wasn't. Since discovering the problem, I've changed passwords, turned on auditing, set up an account lockout policy, and removed the software the hacker loaded (or at least as much of it as I could find).

What else should I do?

Some more specific questions:

IIS uses the IUSR_systemname and IWAM_systemname accounts. Could a hacker log into the system using them? If so, is there a way to prevent that?

Terminal Services uses the TsInternetUser account. Is there a way to prevent anyone else from using that account?

In Windows 2000, is it possible to have a user account that doesn't show up in the Computer Management application? If so, how can I find and delete any such accounts?

Can anyone recommend a (hopefully free) firewall program we could run? I'm not sure I can discover the IP address of the hacker(s)--wouldn't I need to give that information to a firewall so it can block out traffic from that address?

Thanks for your help!

Jeri Morris
jerimorris2000@yahoo.com

 

 

 

 

Top