server is being hacked

every month I am finding either one or two services that are hack
services. I delete the files and clean the service in the registry
then between 1 and 3 months a new hack is on my server. I have
symantec 10.2 and symantec for exchange and a barracuda on the outside
of my network. Can any one help to find the root of this issue. I use
the normal tools like rootkit revealer and aports for scanning my
ports but still they get in. I check my server a few times a day and
usually I catch it within a day but that might be to late. My updates
and patches are up to date. I am running SBS 2003 sp2 and exchange
2003 sp1.

Thank You

joseph.rosario@gmail.com wrote:

> every month I am finding either one or two services that are hack
> services. I delete the files and clean the service in the registry
> then between 1 and 3 months a new hack is on my server. I have
> symantec 10.2 and symantec for exchange and a barracuda on the outside
> of my network. Can any one help to find the root of this issue. I use
> the normal tools like rootkit revealer and aports for scanning my
> ports but still they get in. I check my server a few times a day and
> usually I catch it within a day but that might be to late. My updates
> and patches are up to date. I am running SBS 2003 sp2 and exchange
> 2003 sp1.


Ok, and where's the question? Or the problem? Or the news? Sinceyou don't do
anything serious to recover from the compromise, such a sequence of events
is reasonably expected.

"joseph.rosario@gmail.com" <joseph.rosario@gmail.com> writes:

> every month I am finding either one or two services that are hack
> services. I delete the files and clean the service in the registry
> then between 1 and 3 months a new hack is on my server. I have
> symantec 10.2 and symantec for exchange and a barracuda on the outside
> of my network. Can any one help to find the root of this issue. I use
> the normal tools like rootkit revealer and aports for scanning my
> ports but still they get in. I check my server a few times a day and
> usually I catch it within a day but that might be to late. My updates
> and patches are up to date. I am running SBS 2003 sp2 and exchange
> 2003 sp1.


Hi Joseph,

Sorry to hear of your struggles. You need to follow the standard
procedure for recovering from a malware infection:
o remove teh box from the network
o pull data off to another advice and/or image the drive
(including slack space) for later reference or a forensic
analysis
o repartition, reformat and reinstall the OS from original
media

If you want a root cause (or as close to a root cause as you'll get,
depending on the attacker's skill), engage a security firm to do
forensic analysis of the box. This is also sold as "incident
response" service. It's not cheap.

Trying to patch/remove things flagged by a commercial product is like
trying to use a bandaid to cure skin cancer, I'm afraid. You have no
way of knowing you got everything.

Best Regards,
--
Todd H.
http://www.toddh.net/

On Tue, 05 Feb 2008 16:23:18 +0100, Sebastian G. wrote:

> joseph.rosario@gmail.com wrote:
>
>> every month I am finding either one or two services that are hack
>> services. I delete the files and clean the service in the registry
>> then between 1 and 3 months a new hack is on my server. I have
>> symantec 10.2 and symantec for exchange and a barracuda on the outside
>> of my network. Can any one help to find the root of this issue. I use
>> the normal tools like rootkit revealer and aports for scanning my
>> ports but still they get in. I check my server a few times a day and
>> usually I catch it within a day but that might be to late. My updates
>> and patches are up to date. I am running SBS 2003 sp2 and exchange
>> 2003 sp1.
>
> Ok, and where's the question? Or the problem? Or the news? Sinceyou don't do
> anything serious to recover from the compromise, such a sequence of events
> is reasonably expected.

Good post.

Are you through fucking your Mother, I'm next!