Jump to content
Compatible Support Forums
Sign in to follow this  
Covani

Hacked on windows 2003 server cause of mysql installation?

Recommended Posts

Hello,

 

I have installed MySQL and phpmyadmin to my Windows 2003 Standart server yesterday. I've entered a root password and had successfull created some databases. Also I have installed Php 4 on the server.

 

Today I had a big problem on my server, because all the files starts with 'user' were deleted (users.dat, users.mdb, user.frm etc) Mailserver didn't work anymore because there was a missing file named users.dat etc.

 

After that I tried but I wasnt be able to create any files wherever starts with 'user'. I tried on command prompt, but cmd.exe was changed as Windows 2000 polish version. If typed 'ver' on command line, get Windows 2000 Server etc.. with some polish words.

 

 

Microsoft Windows 2000 [Wersja 5.02.3790]

© Copyright 1985-2000 Microsoft Corp.

 

C:\Dokumente und Einstellungen\Administrator>

//

C:\Dokumente und Einstellungen\Administrator>dir

Wolumin w stacji C: Mom

Numer seryjny woluminu: 78BA-92E9

 

Katalog: C:\Dokumente und Einstellungen\Administrator

 

I thought the server was hacked. Symantec Antivirus Corporate was up to date but I think it was caused the new mysql installation and I did something wrong.

 

Now I have scanned the server with Symantec again but nothing found. I still can't be able to create files/folders starts with 'user' and reinstalling mysql doesnt work too.

 

there's also a file .bat file in c:/windows

nvsvc.exe /install /silence

net start R_Server

etc..

 

Do you have any idea about the issue? or did hear something like that?

Share this post


Link to post

Your system is infected by the famous W32/Agobot-EL worm. You will need to go into your registry and edit the following:

Locate the HKEY_LOCAL_MACHINE entries:

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

Generic Service Process = nvsvc.exe

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\

Generic Service Process = nvsvc.exe

 

and delete them if they exist.

 

Then, go to the Hosts file usually located at WINDOWS>\System32\Drivers\etc\HOSTS

There will probably be a number of entries which are mostly anti-virus addresses so that your browser won't access them.

 

You can try this first. It is the least invasive. But, to be honest it looks like you have actually been hacked and your computer is owned by someone else. The only sure way to get it back is to reformat and clean install your operating system.

Share this post


Link to post

hi sampson,

thank you for your reply. I was looking for the worms whole day. you are right, the server is infected with worm.

if I check netstat on cmd, I can see some ports open and listening by com.pl addresses.

but i dont understand how to get infected. it's possible because of the mysql installation, at the beginning I was entered 123456 as password, but that was for short time.

so i will let reinstall the system and look now for more security except symantec corporate.

 

do you have any suggestions to use good firewall for windows standart server 2003?

Share this post


Link to post

Sygate makes a good firewall; the one that most people like is ZoneAlarm. eTrust EZ Armor makes a good firewall also

Share this post


Link to post

Sygate makes a good firewall for Windows. I use Tiny Personal Firewall now because Sygate wouldn't work quite right with connected VPN clients. Tiny is much harder to configure though.

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×