The only thing I saw that was out of the ordinary was 1- an empty folder in c:\winnt\system32 "rocket" and 2- zone alarm pro showing port 1029 open, which i proceeded to block. Everything seems to function normally. I disabled the service and have not had any issues so far. I can get into all the admin tools, group policies, had made a copy of the reg before I physically plugged it into the router(actually, the switch connected to the router :), only changes i saw when comparing both reg's seem to refer only to the apps that i installed after i connected. a sysedit showed nothing that seemed out of the ordinary. I am kinda thinking I may have got lucky and caught it as soon as they attempted whatever they were attempting, since I was configuring everything when this happened. Of course, time will tell. It is a stand alone server whose purpose is to demo a small part of a web app in design by our program department and to begin working with a web based support app. I have a feeling I will now have a lot more work to do now, and a lot more questions for the group. All the input was, again, much appreciated. This concludes this story, at least until tomorrow :) Chris -----Original Message----- From: windows2000-bounce@xxxxxxxxxxxxx [mailto:windows2000-bounce@xxxxxxxxxxxxx]On Behalf Of Aaron Dokey Sent: Wednesday, September 11, 2002 12:41 PM To: 'windows2000@xxxxxxxxxxxxx' Subject: [windows2000] Re: anyone know what mr2kserv service is? The only help I can offer is this: http://www.google.com/search?q=mr2kserv&hl=en&lr=&ie=UTF-8&oe=UTF-8&filter=0 Let us know how it goes. Regardless, your box now needs to be waxed and re-built. That's assuming it's an actual compromise. Anything else funny? Any weird things showing up on the file system? -Aaron ----------------------- Aaron Dokey - MIS Reid Tool Supply 2265 Black Creek Rd. Muskegon, MI 49444 (231) 777-3951 (231) 767-3772 (Direct) ----------------------- -----Original Message----- From: Chris Ruggeri [mailto:CHRIS.RUGGERI@xxxxxxxxxxxxxxxxxx] Sent: Wednesday, September 11, 2002 2:33 PM To: windows2000@xxxxxxxxxxxxx Subject: [windows2000] Re: anyone know what mr2kserv service is? Thanks Aaron....any additional info on this service and what they may have been attempting to do?....again, thanks in advance for the input. Chris -----Original Message----- From: windows2000-bounce@xxxxxxxxxxxxx [mailto:windows2000-bounce@xxxxxxxxxxxxx]On Behalf Of Aaron Dokey Sent: Wednesday, September 11, 2002 11:50 AM To: 'windows2000@xxxxxxxxxxxxx' Subject: [windows2000] Re: anyone know what mr2kserv service is? <aol voice>You've got hackers!</aol voice> -aaron ----------------------- Aaron Dokey - MIS Reid Tool Supply 2265 Black Creek Rd. Muskegon, MI 49444 (231) 777-3951 (231) 767-3772 (Direct) ----------------------- -----Original Message----- From: Costanzo, Ray [mailto:rcostanzo@xxxxxxxxxxx] Sent: Wednesday, September 11, 2002 1:50 PM To: 'windows2000@xxxxxxxxxxxxx' Subject: [windows2000] Re: anyone know what mr2kserv service is? A search for this process only turned up one valid page! http://lists.insecure.org/incidents/2002/Jul/0095.html Ray at work > -----Original Message----- > From: Chris Ruggeri [mailto:CHRIS.RUGGERI@xxxxxxxxxxxxxxxxxx] > Sent: Wednesday, September 11, 2002 1:42 PM > > > > Hi group, > > I am putting up win2k webserver( 1st time), got it up and running last > night, was moving items via ftp to it for installation of > what we need on it > and had to change security on a couple folders. I was unable > to get into the > folder properties( nothing happened when i clicked on it). So > i went into > task manager, tried stopping any processes i could, still no > luck, but saw > that mr2kserv as a process. I went into services under admin > tools, i saw > smtp and worldwide web publishing services were hung ( said > starting on > both....and event viewer told me each service hung). I was > able to change > the start up type to manual, reboot and then manually start > these services. > I had also disabled mr2kserv until i found out what it is. > The properties > now come up fine. I am currently installing sp3 and all the security > updates( probably should of done that first :) ....I searched technet, > microsoft, and found a couple topics on various search engines, one > referring to an attack on their server, a couple referring to either > macintosh print services or ftp services, and a couple that > just had a list > of services running and this one in the list. Any information > on this is > greatly appreciated. Thanks in advance for any help! > > Chris > ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** ================================== To Unsubscribe, set digest or vacation mode or view archives use the below link. http://thethin.net/win2000list.cfm ================================== To Unsubscribe, set digest or vacation mode or view archives use the below link. http://thethin.net/win2000list.cfm ================================== To Unsubscribe, set digest or vacation mode or view archives use the below link. http://thethin.net/win2000list.cfm ================================== To Unsubscribe, set digest or vacation mode or view archives use the below link. http://thethin.net/win2000list.cfm ================================== To Unsubscribe, set digest or vacation mode or view archives use the below link. http://thethin.net/win2000list.cfm