If it was from the servu bug they also probably uploaded a trojan and password cracker, there may be another version of SERVU installed. We had a test server hacked about two years ago. I upgraded to the latest versio of serv-u and they were still in the box using the hacked version they uploaded and were running on a different port. Also look for key logging utilities, and they may have hacked your admin password.
Your best bet is to make shure the machine is clean of trojans/keyloggers/alternate FTP then change all Windows passwords. Have the machine disconnected from the internet while cleaning it. It took me 8 hours to clean everything off the server when we were hacked two years ago, it would have been faster on the test server to just re-format and reinstall. but it was a test machine and I looked at ti as a learing experience. Kevin Bilbee > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of john cesta > Sent: Tuesday, January 04, 2005 11:06 AM > To: Bill Landry > Subject: [IMail Forum] hacked by tugr@ > > > > > > > Has anyone heard of this one? > > What they do is to copy: > > index.php .cfm .htm .html .asp > default.php .cfm .htm .html .asp > > to the root folder of every web site. > > I can't find much on it on the web. I thought I had figured it to > be an old servu ftp server hack so I upgraded about 3 weeks ago > but today upon reboot it happened again. > > I have a fully patched win2k server > > > Thanks > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
