I've tracked a trojan on my server after I noticed some warez being uploaded in an upload folder + they removed a couple of maps in order to create space for their own stuff.

The trojan works as a backdoor and opens a port. Then it runs an ftp like server that enables the user to delete, create and upload/download files and maps. At the same time it tries to connect to irc as a bot.

I have their irc channel  and I can see other hacked servers in there. Is there anyway some higher authorities can be informed of this? If possible i would like the ''hackers'' to be tracked down and possibly prosecuted..

A note: C:\WIN\system32\rpcxserv.exe  is the backdoor trojan file and is run as a service listed under RPC Interface. When I try to find this file it simply doesn't exist, but It does run and does open the port again after enabling the service.

I've set view all hidden files etc in the map options of windows 2003. Is there anyway this file can be deleted? I've searched google, but non of the virus scanning companies list this file, nor does norton corporate antivirus find this trojan. I've seen around three other cases of infected servers on google, but they didn't mention any of this that could help me out.

For now I've just disabled the service, and the open port is gone...but i do want to delete these malicious files.

I don't think the local police could do anything here. They lifted their shoulders when a bike of 2000 euro was stolen from my hallway, although there were rules to investigate a theft if the item was stolen from an enclosed area .

But anyways...I'll inform and see if they have something for internet crimes.

Any advice on those hidden files is welcome.

they should be able to tell you what to do with the hackers..

but that file.. i cant find it on my system..

Be glad you can't find it . It boots the ftp and creates the open port. I don't know how this ended up on the server. Might have been software, or the internet itself.

I managed to delete it by using the search option of windows explorer. I didn't know it doesn't search for hidden files by default, although i've set map options to include hidden files. Bit confusing.

Other part of the trojan where you can actually see some server logs and the irc channel.

SUBOT.INI 

[SERVER]
HookLoginMsg=1
LoginMsgFile=default.txt
[BOT]
BotActive = 
Log=1
IrcServer = irc.secsup.org
Channel = #eklips-bots 
ChannelKey = inYourAssBaby
IrcPort = 6667
IrcPassword =
Nick = ` 
AltNick = _
UserName = 
CmdPre = !
LogFileName = .log
ServerComment = EkliPs RePreSenTs
JoinNotice = Bienvenue parmis Nous - Remember... We 0WnZ U - EklipS RePreSenTs
OnJoinMsg = "1 =  UP !! EkliPs RePreSenTs = "
[SFV]
sfvactive =1
sitename =
status_bar=dir
createmissing=1
createprogress=1
progress_bar=[incomplete]-[%s Done]
echo del_progress_bar=[incomplete]-[
echo complete_bar=[%s]-[Complete %s File(s) (%s Mb) @ %s Kbps by %s]

[ADVANCED]

msg_Login =|========================================================== ========\n|     (¯`·.¸¸.·´¯`·.¸¸.·´¯`·. -= EkliPs Server =- ¸.·´¯`·.¸¸.·´¯`·.¸¸.·´¯)|\n|================================ ==================================|\n|\n| Vous vous connectez depuis %IP\n| Heure locale:  %time, \n| %u24h users ont visité ce stro les dernieres 24H\n| Le server est ouvert depuis \n| %ServerDays Jours, %ServerHours Heures, %ServerMins Mins, %ServerSecs Secs \n|========================================================= =========\n| Nombre de personnes loguées depuis le depart:   %loggedInAll total\n| Utilisateurs connectés:     %Unow\n| Total Kb downloadés:     %ServerKbDown Kb \n| Total Kb uploadés:       %ServerKbUp Kb\n| Nombre de fichiers downloadés:  %ServerFilesDown \n| Nombre de fichiers uploadés:    %ServerFilesUp\n| Vitesse moyenne: %ServerAvg Kb/sec\n| Vitesse en cours: %ServerKBps Kb/sec| Espace libre:   %DFree MB\n|\n|==================================================== ==============|\n
msg_new = "New [1 %s ] By 12 %s"
msg_newL = "New [1 %s ] [1 %s ] By12 %s"
msg_deleted = "4Deleted [1 %s ] By12 %s"
msg_deletedL = "4Deleted [1 %s ] / [1 %s ] By12 %S"
msg_complete = "Complete [1 %s ] (1 %S Mb )  By12 %S in %s at [1 %S  Kbps ]"
msg_completeL = "Complete [1 %s ] [1 %s ] (1 %S Mb ) By 12 %S in %S at [5 %S Kbps ]"
msg_halfway = "HalfWay [1 %s ] (1 %S Mb)  By 3%S in %S at [5 %S  Kbps ]"
msg_halfwayL = "HalfWay [1 %s ] [1 %S ] (1 %S Mb ) By12 %s in %s at [5 %S Kbps ]"
msg_bw = "Current bandwidth usage : (5 %s KBps) @ [%s] Uploads (5 %S KBps) @ [%s] Downloads"
msg_who ="List of current Uploads/Downloads"
msg_users = "4There are currently no users online"
msg_notactive = "4 %s not active or is not logged in"
msg_downT ="List of current Downloads"
msg_down = "12 %s is Downloading : %s at [5 %s KB/s ]"
msg_nodown = "4There are currently no downloads"
msg_noup = "4There are currently no uploads"
msg_up = "12 %s is Uploading : %s at [%s KB/s]"
msg_upT="List of current Uploads"
msg_speed="List of current Uploads/Downloads for user :12 %s"

And a note for those who have Norton Antivirus Corporate Edition installed on their servers. Find something else as this program clearly doesn't do what it's supposed to do.

I had to delete two trojans manually, one being listed as Back orifice and one as fxSVC. Both not detected by Norton, even after pointing it to the correct map where the trojan files were located. Latest virus pattern etc installed.

do u think that local police can help us with hackers? ja ja ja

a channel bot is simply a realtime bulletin board. It can place triggers on an irc channel, for example if you click "!find movies" it will search for movies on a server etc. etc. etc. etc.