At my job we have two Windows NT 4 machines. Recently we noticed in our router logs more traffic than usual. We did a little research, and low and behold our two NT 4 machines were penetrated somehow. We haven't the slightest clue how someone got in.

Well the cracker installed RhinoSoft Serv U FTP. It runs in the background on high ports and is hard to discover. I called RhinoSoft asking how to remove the software and they gave me the old "backup and format". Those guys are bastards. I remember the days they were releasing black hat programs. We all know who's side they're really on. Anyway...

We disabled the software yesterday. But this morning the files were reinstalled and it is back. So somehow this cracker keeps getting in. I'm currently downloading some port scanners and security scanners. Other than that I am at a dead end.

I don't want to wipe out these systems. There are so many sites on each machine. Suggestions?

----

Additional Info: (Copy of my post later in thread):

I downloaded an Active Port Viewer. There is an .exe file: c:\WINNT\system32\srvohk.exe It is listening on ports: 8000 and 43958. This is clearly the trojan.

Files the hacker uploaded were stored in:
E:\RECYCLER\S-1-5-21-713979624-1589857245-60295696-600\CON\COM1\

I was able to move the files out of that directory, but I cannot remove the directory because of the reserved "CON" name. Anyone know how I can remove this? I tried using MSDOS and it won't let me. It is not a read only file. I do have admin permissions.

----

Updates: Killed the srvohk.exe process, and deleted the file from system. I was able to delete the CON directory using the RM utility. (Thanks DjM). I am currently checking out the processes that are running, and doing a complete port scan on the system.