Sign in with
Sign up | Sign in
Your question

been hacked, tlntsvr.exe cannot be shutdown

Last response: in Windows 2000/NT
Share
September 13, 2004 5:22:44 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi,

I found 27 Gig of movies and games on my server today.
I was able to expunge them, although they were very
sneaky and clever about changing ownership and
permissions (they were hidden in RECYCLER folder).

But after running AV software and updating Win2k Server
to SP4, all latest updates, I still see a connection in
netstat that looks like hackers (note poland url) and
cannot stop tlntsrv.exe (telnet services manager opens
window, which immediately shuts...denied access from task
manager).

Any idea how to kick out the intruder?

Active Connections

Proto Local Address Foreign Address
State
TCP chinabilling2:microsoft-ds
dpc691943014.direcpc.com:33744 ESTABLISHED

TCP chinabilling2:microsoft-ds host45-
168.pool80181.interbusiness.it:4073
ESTABLISHED
TCP chinabilling2:microsoft-ds
beg251.neoplus.adsl.tpnet.pl:3118 ESTABLIS
HED

TCP chinabilling2:2121 pD9EE0561.dip0.t-
ipconnect.de:3962 ESTABLISHED

TCP chinabilling2:6620 pD9EE0561.dip0.t-
ipconnect.de:4110 TIME_WAIT
TCP chinabilling2:6620 pD9EE0561.dip0.t-
ipconnect.de:4124 TIME_WAIT
TCP chinabilling2:6621
ACB59020.ipt.aol.com:2921 ESTABLISHED
TCP chinabilling2:6621 pD9EE0561.dip0.t-
ipconnect.de:3918 ESTABLISHED
TCP chinabilling2:6621 pD9EE0561.dip0.t-
ipconnect.de:3922 ESTABLISHED
TCP chinabilling2:6621 pD9EE0561.dip0.t-
ipconnect.de:3970 ESTABLISHED
TCP chinabilling2:6621 pD9EE0561.dip0.t-
ipconnect.de:3989 ESTABLISHED
chinabilling2.POP.local:microsoft-ds TIME_WAIT

Jerry
September 13, 2004 7:28:55 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Thanks, especially to Steven.
Jerry




>-----Original Message-----
>Hi,
>
>I found 27 Gig of movies and games on my server today.
>I was able to expunge them, although they were very
>sneaky and clever about changing ownership and
>permissions (they were hidden in RECYCLER folder).
>
>But after running AV software and updating Win2k Server
>to SP4, all latest updates, I still see a connection in
>netstat that looks like hackers (note poland url) and
>cannot stop tlntsrv.exe (telnet services manager opens
>window, which immediately shuts...denied access from
task
>manager).
>
>Any idea how to kick out the intruder?
>
>Active Connections
>
> Proto Local Address Foreign Address
>State
> TCP chinabilling2:microsoft-ds
>dpc691943014.direcpc.com:33744 ESTABLISHED
>
> TCP chinabilling2:microsoft-ds host45-
>168.pool80181.interbusiness.it:4073
> ESTABLISHED
> TCP chinabilling2:microsoft-ds
>beg251.neoplus.adsl.tpnet.pl:3118 ESTABLIS
>HED
>
> TCP chinabilling2:2121 pD9EE0561.dip0.t-
>ipconnect.de:3962 ESTABLISHED
>
> TCP chinabilling2:6620 pD9EE0561.dip0.t-
>ipconnect.de:4110 TIME_WAIT
> TCP chinabilling2:6620 pD9EE0561.dip0.t-
>ipconnect.de:4124 TIME_WAIT
> TCP chinabilling2:6621
>ACB59020.ipt.aol.com:2921 ESTABLISHED
> TCP chinabilling2:6621 pD9EE0561.dip0.t-
>ipconnect.de:3918 ESTABLISHED
> TCP chinabilling2:6621 pD9EE0561.dip0.t-
>ipconnect.de:3922 ESTABLISHED
> TCP chinabilling2:6621 pD9EE0561.dip0.t-
>ipconnect.de:3970 ESTABLISHED
> TCP chinabilling2:6621 pD9EE0561.dip0.t-
>ipconnect.de:3989 ESTABLISHED
> chinabilling2.POP.local:microsoft-ds TIME_WAIT
>
>Jerry
>.
>
Anonymous
September 13, 2004 8:29:06 PM

Archived from groups: microsoft.public.win2000.security (More info?)

The only reliable method is to rebuild your system from scratch.
It could also be the fastest - since poking around trying to figure
out all that they have done can take quite some time, and still
leave you open. They likely installed several routes into your
system.
-sorry.


"Jerry" <anonymous@discussions.microsoft.com> wrote in message news:16e101c499cf$6d614df0$a501280a@phx.gbl...
> Hi,
>
> I found 27 Gig of movies and games on my server today.
> I was able to expunge them, although they were very
> sneaky and clever about changing ownership and
> permissions (they were hidden in RECYCLER folder).
>
> But after running AV software and updating Win2k Server
> to SP4, all latest updates, I still see a connection in
> netstat that looks like hackers (note poland url) and
> cannot stop tlntsrv.exe (telnet services manager opens
> window, which immediately shuts...denied access from task
> manager).
>
> Any idea how to kick out the intruder?
>
> Active Connections
>
> Proto Local Address Foreign Address
> State
> TCP chinabilling2:microsoft-ds
> dpc691943014.direcpc.com:33744 ESTABLISHED
>
> TCP chinabilling2:microsoft-ds host45-
> 168.pool80181.interbusiness.it:4073
> ESTABLISHED
> TCP chinabilling2:microsoft-ds
> beg251.neoplus.adsl.tpnet.pl:3118 ESTABLIS
> HED
>
> TCP chinabilling2:2121 pD9EE0561.dip0.t-
> ipconnect.de:3962 ESTABLISHED
>
> TCP chinabilling2:6620 pD9EE0561.dip0.t-
> ipconnect.de:4110 TIME_WAIT
> TCP chinabilling2:6620 pD9EE0561.dip0.t-
> ipconnect.de:4124 TIME_WAIT
> TCP chinabilling2:6621
> ACB59020.ipt.aol.com:2921 ESTABLISHED
> TCP chinabilling2:6621 pD9EE0561.dip0.t-
> ipconnect.de:3918 ESTABLISHED
> TCP chinabilling2:6621 pD9EE0561.dip0.t-
> ipconnect.de:3922 ESTABLISHED
> TCP chinabilling2:6621 pD9EE0561.dip0.t-
> ipconnect.de:3970 ESTABLISHED
> TCP chinabilling2:6621 pD9EE0561.dip0.t-
> ipconnect.de:3989 ESTABLISHED
> chinabilling2.POP.local:microsoft-ds TIME_WAIT
>
> Jerry
September 14, 2004 1:38:44 AM

Archived from groups: microsoft.public.win2000.security (More info?)

step 1: unplug the network cable or phone line
step 2: format C:
step 3: reinstall, do all patches, install firewall, install av.
step 4: reconnect to internet and resume normal operation

"Jerry" <anonymous@discussions.microsoft.com> wrote in message
news:16e101c499cf$6d614df0$a501280a@phx.gbl...
> Hi,
>
> I found 27 Gig of movies and games on my server today.
> I was able to expunge them, although they were very
> sneaky and clever about changing ownership and
> permissions (they were hidden in RECYCLER folder).
>
> But after running AV software and updating Win2k Server
> to SP4, all latest updates, I still see a connection in
> netstat that looks like hackers (note poland url) and
> cannot stop tlntsrv.exe (telnet services manager opens
> window, which immediately shuts...denied access from task
> manager).
>
> Any idea how to kick out the intruder?
>
> Active Connections
>
> Proto Local Address Foreign Address
> State
> TCP chinabilling2:microsoft-ds
> dpc691943014.direcpc.com:33744 ESTABLISHED
>
> TCP chinabilling2:microsoft-ds host45-
> 168.pool80181.interbusiness.it:4073
> ESTABLISHED
> TCP chinabilling2:microsoft-ds
> beg251.neoplus.adsl.tpnet.pl:3118 ESTABLIS
> HED
>
> TCP chinabilling2:2121 pD9EE0561.dip0.t-
> ipconnect.de:3962 ESTABLISHED
>
> TCP chinabilling2:6620 pD9EE0561.dip0.t-
> ipconnect.de:4110 TIME_WAIT
> TCP chinabilling2:6620 pD9EE0561.dip0.t-
> ipconnect.de:4124 TIME_WAIT
> TCP chinabilling2:6621
> ACB59020.ipt.aol.com:2921 ESTABLISHED
> TCP chinabilling2:6621 pD9EE0561.dip0.t-
> ipconnect.de:3918 ESTABLISHED
> TCP chinabilling2:6621 pD9EE0561.dip0.t-
> ipconnect.de:3922 ESTABLISHED
> TCP chinabilling2:6621 pD9EE0561.dip0.t-
> ipconnect.de:3970 ESTABLISHED
> TCP chinabilling2:6621 pD9EE0561.dip0.t-
> ipconnect.de:3989 ESTABLISHED
> chinabilling2.POP.local:microsoft-ds TIME_WAIT
>
> Jerry
!