Had a big networking outfit come in and put in a new server at our company (one server, 12 desktops). The boss had them migrate W2K Server from the old server to the new one, including the old ISA firewall. The server also functions as a proxy & a gateway (it's got two nics). I'm the in-house support guy.
Things were ok for a couple of weeks and then we had a few problems with the server. Various .exe files issued memory address errors and a couple of printers would go offline, making themselves unavailable to the desktops.
We had the networking company come back out, they explained that the ISA 2000 firewall was old tech and the server had been hacked. They cleaned things up a bit and installed a Cisco Pix firewall. It was VERY expensive, and my sense is they should've put us in the Pix to begin with.
Now we got hit with both Netsky and Bagle viruses on two machines. I shook those down using RAV's online virus scan, downloaded Symantec's virus removal tools and thought I had everything cleaned up (also scanned the server). But today, I was still getting odd emails from our network that had .cpl attachments, typically viral, but in this case null (0 bytes) files.
Any thoughts on how to proceed? I'm thinking of running RAV's online scan on everything come Saturday when it's slow. This networking outfit put us in CA's network antivirus software over a year ago, and apparently put it on the new server, but I'm guessing it's not set up right, so I'll probably wade into that too. I hate to call these guys because it's $2000 everytime they send a couple of guys out for half-a-day on short notice, and they don't tell us anything. I'd like to at least be grounded enough in our problem that I can doublecheck their work.
Should I be checking for files on the server like netcat or some other remote access stuff that an AV program would miss? I'm familiar with ethereal though it would be some work, could I put that on the network and track down these rogues?
Thanks.
