so for the last 3 or so weeks My server has been hit with unknown people setting up user accounts on win xp, I delete user and a few days to a week latter a new user account s set up.
is it a virus? is a script, that sets up the account?, and then reports back to owner, I used those scripts before on win2000…
anyways thanks for the help…
and no I have no firewall, with my sever what firewall would be good to use…
sounds more like a rootkit to me
Also make sure all yer logs are on so you can look see wtf is going on, start doing a rootkit and virus scan and start going through yer logs
You’re using Windows XP as a server?
I;m sure thats what I said in the first post, LOL
thanks ChrisJ will do that too…
Wait, you’re using XP for a server, without a firewall 
Seriously, what kind of server, and why would you use XP and not something else?
Now tell me it has a real IP too
XP is just not meant to be a server, certainly not out there on the real internet. There are too many holes that are way to easily exploitable. Especially if you also use the server for other purposes – ie: do you use it to surf the web?
Boot up with a livecd and check for rootkits. If accounts are being created on your computer, then you can bet they’ve left a rootkit behind.
yes MiG, I have been using Xp as my server for more then 4 years, with out too much problems…
I don’t care if its not proper, 
Im not going to buy 2000 server or have the time to learn Linux. 
I have had no real problem running Apache webserver on XP, I understand that Xp has holes I also understand that almost every type of server has holes.
So thanks for the info about rootkits so far nothing has come up. looks clean will install a firewall that I can port forward…
again thanks for the info guys… 
You don’t care if it’s not proper, yet you’re asking why accounts are being created on your server?
You don’t see the disconnect there? XP isn’t meant to be a server. If you’re going to run it as a server, you’re going to have problems.
[quote]
I have had no real problem running Apache webserver on XP, I understand that Xp has holes I also understand that almost every type of server has holes. [/quote]
You understand that almost every type of server has holes, yet you don’t want to take the time to learn Linux or BSD or anything else, yet you “understand” this?
I don’t get it.
Don’t run it on XP. Your system is obviously compromised. Time to format!
If it’s clean, then why are accounts being created?
You come home from work one day and you find that somebody’s been in your house, and they’ve stolen some stuff, wrote on your walls, etc. You look around the house, but can’t find anybody. You ask people for help, they say “put a lock on your door” and you say “but I haven’t had a lock on my door for years and it’s been fine. Besides, there’s nobody in my house now, so why should I worry?”
Seriously, they’re in your computer.
Wellcome to the internet…muhahaha! Astro, not trying make a fool of you, neither is mig, you really need to listen to whats being said to you, just because you aint finding it means nothing, it means he’s good, alot better than you and you will never find it, he has more access than you do at this point, things can get worse, like the fbi knocking at your door accusing you of running a kiddie porn ring, have a laugh…it happens. Its apparent you do not fully understand what a rootkit is and does, the days of you having root access on yer own box are over, period. There is most likely a ton of other shit going on you have no clue about, they arnt going to all this trouble for no reason. dont feel too bad, we were all baptized by fire, rather than see it as you been fucked over, look at as someone has given you the oppertunity to learn how to secure a server, and what a server is and should be, in the nd you will know these things, yer brain will hook up a few more connections, and you will be smarter because of it, it aint all bad. Getting a proper os isnt all that hard, I, and I am sure mig would help you set it up as needed.
if one is really paranoid about the possible badware contents of your hard drive, you can try Boot Nuke
search up DBAN in Google
Okay, astrothug. It is up to you. Your computer does not belong to you anymore. As ChrisJ and MiG mentioned the evidence points to the conclusion that your unit has been penetrated by a hacker. In my opinion you should:
1. Format your HD.
2. Install a good server OS. There are a few user-friendly versions of Linux that will guide you through server set-up. Both Ubuntu and Mandriva provide free-of-charge operating systems that will be secure by default.
3. Learn about server security. Protect yourself.
P.S. A firewall is too little, too late. He is aware that you know he is in your server** (he is showing you new user accounts)**. I would be worried about what he is doing!
He has most likely set-up a back door into your system. In other words, he has complete access to your system (you are owned). I would also cancel your credit cards and get new ones if you buy products on-line. Perhaps you should also contact your bank if you do on-line banking.
thanks guys i do understand th gravity of this situation i have taken the computer offline moved my server off and some files, I’m looking at a proper server os,
MiG and ChrisJ thanks for making it clean to me, I’m no tech savant , like you guys are and learning a new OS will be a taunting task.
its bad enough it took me a few years to figure out apache, mysql and some basic php, so i would have to dump my mysql data files and learn to install the on a different os, this all comes natural to you guys but for some of us its a learning curve that is a bit steep.
so anyways server is off line and hard drive getting a new format…
anything else I should now?
so im looking at Ubuntu Server Edition, I’m going to install on my laptop and see if I can move my server to it…
I should be up and running in a few months… LOL…
You could be back up and running in a day.
Ubuntu server has a built in “Install LAMP” option that adds Apache, PHP, MySQL and all the dependencies. If you want the desktop, once you’re up and running type
sudo apt-get install ubuntu desktop
then install Webmin, a very easy way to set up your webserver
and if it isn’t already there phpmyadmin to run the SQL
If you really want to learn some step-by-step check out howtoforge.com, but they try to steer you to add ISPconfig, which isn’t needed and I haven’t had good experiences with.
[quote] Seriously, they’re in your computer.
[/quote]
Obligatory:
I can haz your computer…?
Or
We’re in ur computer, watchin’ u type…
so if my other xp machines have this problem in the future. i should format asap. regardless if its a server or not…
my other comps are behind a hardware firewall. going to install linux on the laptop and play with setup xamp setup…
thanks
Two ways you can just play with ubuntu without installing it:
or
go easy on yourself, I cannot speak for mig but I am no figgin genius, i can guarentee you that much, what i know has come from twenty years of constant learning, we are not smarter than you, we have just put time into learning this crap while everyone else was out having a life, its a trade off, I am just learning to balance it between a social life.
And all this time, i thought you had no life 
Well said tho chris.
Astro, you should learn linux a little more before using it as a server os, id hate to see you throw all this time into a linux server to have it running then some one hack it and you loose every thing.
Don’t feel bad, astro:-) My first server got hacked by some miscreant about 5-6 years ago. The SOB even let me know that my unit was doomed…he posted his user name on my desktop. Your post reminds me very much about my encounter with a bad-ass hacker.
Everything that I’ve learned has been through the many mistakes that I have made. I’m not an expert. We learn by doing. You are on the right track by trying out Ubuntu as it is based on Debian Linux ( a bullet-proof OS).