Hi, Someone got in by an open rdp port (was an error actually), and I would like to know if there are free tools for knowing what they have done. I found that they used the FTP to store some asian materials. But I see also some http upload trafic from servers that do not host http services. Also, is there a tool to see a changelog of the registries? Thank you,

I also run anti-virus scans and took a look at the services and starting programs. Everything is clear... Is there anything else I should look up?

Hi, Did you enable any Audit policy? If so, it would record relevant events in security log. For more information, please refer to: Auditing Policy http://technet.microsoft.com/en-us/library/cc779526(WS.10).aspx Regards, Bruce

Yes I had audit policies, and they did not change anything I was auditing.

Hi, The servers that were compromised are doing what seems to be DDOS on sites by port 80. Some are getting blocked by our firewall but not all. I took a look at the services and programs running and found nothing suspicious... do anyone have any idea how I can stop this? Thank you,

Format and reinstall the compromised system. If hacker has installed some rootkit, you won't be able to find out and remove it. Also, consider updating your security policy and rules — no any single open port but several administrator's mistakes would compromise the system.MCITP: Enterprise Administrator; MCT; Microsoft Security Trusted Advisor; CCNA

Hi, Yes that's what we will be doing. Also, interesting note, the servers compromised are all 2003, 2008 are untouched. Thank you,