Having some problems, need some advice

hey guys...

I have a problem, This isn't quite BT related but in a way it is...

I have a dual boot system and a network of computers, most of the computers run XP with SP2 or SP3.

Only my system has BT4 installed.

The last few days have been hell, some moron hacked several of my sites by infecting one of the XP boxes on the network. I'm guessing the guy is just using metasploit/SET to do a reverse TCP connection.
He managed to connect to one of those machines and has taken the admin passwords from that machine for one of the site, and used that same machine to connect to the site so nothing would look irregular.

I'm looking to put an end to this menace. How can I find the payload, and how can I patch it?

This has been going for several days now. I've detected several trojans on that machine and I have managed to delete them. However on every scan I do after the successful deletion I keep finding that same trojan again.

The last time one of our websites have been attacked the attack came from Saudi Arabia and the hacker was spreading Islam messages.

Frankly I don't have anything against Islam but there are other ways to spread such messages, then this. This way they only provoke anger. Aside from the annoying music which was also implemented in the defacement of the site the whole thing was cleaned up quickly.

However, after patching the site and increasing the security measures on it our systems still remain the weakest link in the security chain.

I hope someone can help me with this nuisance. If this is posted in the wrong section please move it.

Thank you in advance.
Nusku Lu

There are some things you can do like:

1. Never use the same password for all things
2. System Up do Date
3. Up to Date software (web server, database, etc.)
4. Good AV's

I suggest you take down every web site for now and to a fresh reinstall to make sure you get rid of all the malware.
Also, I noticed you said most computers are running XP SP2-3, do you run your web servers on XP ?

This is not really BackTrack related, you should be asking this in a forum focused on responding to computer security incidents - you will get more relevant help.

How you should best respond to this is going to be dependent on how defensible your network is right now. If you have all your machines unpatched, have performed no hardening, perform no network filtering, malware/intrusion scanning and don't perform proper logging you need to set all of that up before you have a hope in hell of efficiently responding to an incident. Implement a perimeter firewall that filters both incoming and outgoing traffic based on the principle of least privilege, proxy and perform application level filtering on all potentially dangerous outbound protocols (e.g. http/s), rebuild all compromised machines (offline), harden, patch and install AV and local firewalls before putting said machines back online, change all passwords and then implement a proper logging and monitoring process. Then work out a process for responding to security incidents....

If your network is reasonably defensible, you need to perform an investigation to determine how the intrusion occurred - without knowing this you wont know where the security holes are that allowed the attacker access. Unfortunately, I can't just tell you how to do this in a single forum post, because the process involves knowing common attack techniques, understanding where the entry points to your network are and knowing where to look for signs of an intrusion. A defensible network minimises the attack techniques that will work and provides an ability to easily identify how, when and where the attack occurred. Judging from your past history of pwnage, I doubt you actually have a defensible network yet, but its something to aim for...

At this point best help you will probably get is an advice to clean install; if you go the other way there is a big chance you`ll miss something........whats more interesting is why on earth you have BT and you didn`t even bothered pentesting yourself.