[windows2000] Re: anyone know what mr2kserv service is?
- From: "Chris Ruggeri" <CHRIS.RUGGERI@xxxxxxxxxxxxxxxxxx>
- To: <windows2000@xxxxxxxxxxxxx>
- Date: Wed, 11 Sep 2002 16:29:40 -0600
The only thing I saw that was out of the ordinary was
1- an empty folder in c:\winnt\system32 "rocket" and
2- zone alarm pro showing port 1029 open, which i proceeded to block.
Everything seems to function normally. I disabled the service and have not
had any issues so far. I can get into all the admin tools, group policies,
had made a copy of the reg before I physically plugged it into the
router(actually, the switch connected to the router :), only changes i saw
when comparing both reg's seem to refer only to the apps that i installed
after i connected. a sysedit showed nothing that seemed out of the ordinary.
I am kinda thinking I may have got lucky and caught it as soon as they
attempted whatever they were attempting, since I was configuring everything
when this happened. Of course, time will tell. It is a stand alone server
whose purpose is to demo a small part of a web app in design by our program
department and to begin working with a web based support app. I have a
feeling I will now have a lot more work to do now, and a lot more questions
for the group. All the input was, again, much appreciated. This concludes
this story, at least until tomorrow :)
Chris
-----Original Message-----
From: windows2000-bounce@xxxxxxxxxxxxx
[mailto:windows2000-bounce@xxxxxxxxxxxxx]On Behalf Of Aaron Dokey
Sent: Wednesday, September 11, 2002 12:41 PM
To: 'windows2000@xxxxxxxxxxxxx'
Subject: [windows2000] Re: anyone know what mr2kserv service is?
The only help I can offer is this:
http://www.google.com/search?q=mr2kserv&hl=en&lr=&ie=UTF-8&oe=UTF-8&filter=0
Let us know how it goes. Regardless, your box now needs to be waxed and
re-built. That's assuming it's an actual compromise. Anything else funny?
Any weird things showing up on the file system?
-Aaron
-----------------------
Aaron Dokey - MIS
Reid Tool Supply
2265 Black Creek Rd.
Muskegon, MI 49444
(231) 777-3951
(231) 767-3772 (Direct)
-----------------------
-----Original Message-----
From: Chris Ruggeri [mailto:CHRIS.RUGGERI@xxxxxxxxxxxxxxxxxx]
Sent: Wednesday, September 11, 2002 2:33 PM
To: windows2000@xxxxxxxxxxxxx
Subject: [windows2000] Re: anyone know what mr2kserv service is?
Thanks Aaron....any additional info on this service and what they may have
been attempting to do?....again, thanks in advance for the input.
Chris
-----Original Message-----
From: windows2000-bounce@xxxxxxxxxxxxx
[mailto:windows2000-bounce@xxxxxxxxxxxxx]On Behalf Of Aaron Dokey
Sent: Wednesday, September 11, 2002 11:50 AM
To: 'windows2000@xxxxxxxxxxxxx'
Subject: [windows2000] Re: anyone know what mr2kserv service is?
<aol voice>You've got hackers!</aol voice>
-aaron
-----------------------
Aaron Dokey - MIS
Reid Tool Supply
2265 Black Creek Rd.
Muskegon, MI 49444
(231) 777-3951
(231) 767-3772 (Direct)
-----------------------
-----Original Message-----
From: Costanzo, Ray [mailto:rcostanzo@xxxxxxxxxxx]
Sent: Wednesday, September 11, 2002 1:50 PM
To: 'windows2000@xxxxxxxxxxxxx'
Subject: [windows2000] Re: anyone know what mr2kserv service is?
A search for this process only turned up one valid page!
http://lists.insecure.org/incidents/2002/Jul/0095.html
Ray at work
> -----Original Message-----
> From: Chris Ruggeri [mailto:CHRIS.RUGGERI@xxxxxxxxxxxxxxxxxx]
> Sent: Wednesday, September 11, 2002 1:42 PM
>
>
>
> Hi group,
>
> I am putting up win2k webserver( 1st time), got it up and running last
> night, was moving items via ftp to it for installation of
> what we need on it
> and had to change security on a couple folders. I was unable
> to get into the
> folder properties( nothing happened when i clicked on it). So
> i went into
> task manager, tried stopping any processes i could, still no
> luck, but saw
> that mr2kserv as a process. I went into services under admin
> tools, i saw
> smtp and worldwide web publishing services were hung ( said
> starting on
> both....and event viewer told me each service hung). I was
> able to change
> the start up type to manual, reboot and then manually start
> these services.
> I had also disabled mr2kserv until i found out what it is.
> The properties
> now come up fine. I am currently installing sp3 and all the security
> updates( probably should of done that first :) ....I searched technet,
> microsoft, and found a couple topics on various search engines, one
> referring to an attack on their server, a couple referring to either
> macintosh print services or ftp services, and a couple that
> just had a list
> of services running and this one in the list. Any information
> on this is
> greatly appreciated. Thanks in advance for any help!
>
> Chris
>
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
www.mimesweeper.com
**********************************************************************
==================================
To Unsubscribe, set digest or vacation
mode or view archives use the below link.
http://thethin.net/win2000list.cfm
==================================
To Unsubscribe, set digest or vacation
mode or view archives use the below link.
http://thethin.net/win2000list.cfm
==================================
To Unsubscribe, set digest or vacation
mode or view archives use the below link.
http://thethin.net/win2000list.cfm
==================================
To Unsubscribe, set digest or vacation
mode or view archives use the below link.
http://thethin.net/win2000list.cfm
==================================
To Unsubscribe, set digest or vacation
mode or view archives use the below link.
http://thethin.net/win2000list.cfm
Other related posts:
