RE: Hacked

From: Mauricio Fernandez (mfernandez_at_fdta-valles.org)
Date: 04/14/05

Next message: Markus Pieton: "Re: Hacked"

Previous message: Sanders, Jonathan: "RE: fport on windows 2003 server"
Maybe in reply to: Mauricio Fernandez: "Hacked"
Next in thread: Markus Pieton: "Re: Hacked"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'P. Rodriguez'" <prodriguez@deltum.com>, <security-basics@securityfocus.com>
Date: Thu, 14 Apr 2005 14:50:01 -0400

Yes, that was exactly what I do and the virus was removed...
Now, I need to realize the way that the hacker put that on my server...

Thanks...

Mauricio Fernández S.
IT Manager
Tel. 591- 445-25160
Fax. 591- 441-15056
mfernandez@fdta-valles.org
www.fdta-valles.org
Cochabamba - Bolivia

-----Original Message-----
From: P. Rodriguez [mailto:prodriguez@deltum.com]
Sent: Thursday, April 14, 2005 2:31 PM
To: mfernandez@fdta-valles.org
Subject: RE: Hacked
Importance: High

Try this:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_PARITE.
B

Got it from
http://www.experts-exchange.com/Security/Win_Security/Q_20676310.html,
which
is #2 when you google for 'pe_parite.b'.

-----Original Message-----
From: Mauricio Fernandez [mailto:mfernandez@fdta-valles.org]
Sent: Thursday, April 14, 2005 10:46 PM
To: security-basics@securityfocus.com
Subject: Hacked

This morning I found a wwwhack window opened on one of my w2k servers,
antivirus agent was deleted (TrendMicro) and when I reinstall it back, it
found about 4500 viruses named PE_PARITE.B

Now the virus is still regenerating itself creating files on winnt\temp
folder, I saw the task list and stopped all the suspicious process, but
the
virus still goes on...

The virus/hacker created a folder named RADMIN, where he copied these
files:
r_server.exe
admdll.dll
hide.reg
raddrv.dll
pro.bat
start.bat

Does anyone knows how to remove this virus and avoid this hack
vulnerability?

Mauricio Fernández S.
IT Manager
Tel. 591- 445-25160
Fax. 591- 441-15056
mfernandez@fdta-valles.org
www.fdta-valles.org
Cochabamba - Bolivia

application/x-pkcs7-signature attachment: smime.p7s

Next message: Markus Pieton: "Re: Hacked"

Previous message: Sanders, Jonathan: "RE: fport on windows 2003 server"
Maybe in reply to: Mauricio Fernandez: "Hacked"
Next in thread: Markus Pieton: "Re: Hacked"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]