I found a whole lot of instances of CMD.EXE running on the server recently.
I used the kill command to kill them and found that a script called u.pl was
On looking at the perl script (u.pl) it has a reference to the following
Which is a section of the site about the Web Server Folder Traversal
I installed this patch but the hacker continues to get onto my machine. He
copies his scripts into the C:\Perl\Bin directory and can create directories
there. He has left a message saying that he could delete my hard drive if
he choose, and I don't know if that is an empty threat because he seems to
be able to run command line commands, so theoretically he could run format
I must admit our server was woefully out of date with the security patches
and I have just applied a few that seem relevant, but I can't stop they
getting in! I don't even want to kill there current programs in case they
retaliate by taking down the server.
So the symptoms are that I see CMD.EXE running when it shouldn't, and there
are a collection of Perl scripts in C:\Perl\Bin. I have had a brief look at
them and they seem to allow the hacker to run command line scripts, at one
stage there was a file with a list of IPs...Help I need to secure my server.
Please any help would be much appreciated.