Dammmmm!!!!.. I think I got hacked

whutsupdoc

whutsupdoc

Master of my Domain
#1
my server was making all this damm noise, so I logged in and noticed in the event finder two new users: Anonymous and IUSR_8H1X53JKAMP ... the IP address was 218.249.58.225

HELP!!!!!!!!!!!!!

what can I do to trace or prevent this from happening!!!!

Plus there was this program called Site Help 5.5 installed on my computer/server with all these funny possibly Chinese characters. also was giving a Windows error of some program call TaskCore.exe

:eek::eek::eek::eek::eek::eek::mad::eek::eek::eek:

I'm running Server 2003 with Terminal Server
 
whutsupdoc

whutsupdoc

Master of my Domain
#2
i also just discovered these 2 programs installed on my server:

Tomcat 5.5 and WinRAR (but this version has a bunch of ???? marks all over it)
 
Bink

Bink

Will moderate for food
#3
IIS Authentication Methods

Anonymous authentication gives users access to the public areas of your Web site without prompting them for a user name or password. When a user attempts to connect to your public Web site, your Web server assigns the user to the Windows user account called IUSR_<computername>, where <computername> is the name of the server on which IIS is running.
Are you intentionally running a web server?

Apache is an open source web server as well. Some applications, particularly open source ones may install this to provide web based services for those applications. WinRAR is just a file compression tool.

I suggest uninstalling anything that doesn't need to be installed (which is good practice on a server). After that, run a virus scan.

If that comes up clean, you may try another virus scan (perhaps the free online Kaspersky one). If that's all clear, then everything is fine, for now.
 
Bink

Bink

Will moderate for food
#4
Just to clarify, the link (and quote) I posted above suggests that those new user accounts you've discovered are perfectly normal for an IIS server running in Anonymous authentication mode.
 
whutsupdoc

whutsupdoc

Master of my Domain
#5
no.. i'm using the server for my database, thus the need for terminal server/services.. no way am i running a web server

im running kaspersky right now and it found "Trojan-Clicker.win32.agent"

it's still running.... i'm super pissed right now.

i didn't have any issues until my database company installed a new program/database onto my system using LogMeIn
 

Associates