RE: Hacked

From: Paul Marsh (pmarsh_at_nmefdn.org)
Date: 04/15/05

  • Next message: Ko, Kang: "RE: Conference Wireless"
    Date: Fri, 15 Apr 2005 11:02:19 -0400
    To: <security-basics@securityfocus.com>
    
    

    Once the system is clean, if you can ever get it to that point without flatting it. Makes sure you monitor outbound connection, don't want this thing to call home to mommy and put you right back at square one again.

    -----Original Message-----
    From: Etapien [mailto:etapien@gmail.com]
    Sent: Friday, April 15, 2005 10:16 AM
    To: mfernandez@fdta-valles.org
    Cc: security-basics@securityfocus.com
    Subject: Re: Hacked

    Well, he actually installed a remote administration tool (radmin) to have control over the system whenever he wants. check those 2 batch files, he used that for installing it as a service probably, open it with a text editor (notepad) and check what the commands are, then you will see what to stop. it's probably some service he installed to make sure it keeps on running, if you can do this with the machine offline if would be the best because when it's connected to the internet those processes are eating up all of the cpu usage and bandwidth. after you have found and deleted whatever process that shouldn't be there then I would suggest you install some firewall to avoid open ports from being accessed by anyone who scans your ip and tries to break in.

    On 4/14/05, Mauricio Fernandez <mfernandez@fdta-valles.org> wrote:
    > This morning I found a wwwhack window opened on one of my w2k servers,
    > antivirus agent was deleted (TrendMicro) and when I reinstall it back,
    > it found about 4500 viruses named PE_PARITE.B
    >
    > Now the virus is still regenerating itself creating files on
    > winnt\temp folder, I saw the task list and stopped all the suspicious
    > process, but the virus still goes on...
    >
    > The virus/hacker created a folder named RADMIN, where he copied these
    > files:
    > r_server.exe
    > admdll.dll
    > hide.reg
    > raddrv.dll
    > pro.bat
    > start.bat
    >
    > Does anyone knows how to remove this virus and avoid this hack
    > vulnerability?
    >
    > Mauricio Fernández S.
    > IT Manager
    > Tel. 591- 445-25160
    > Fax. 591- 441-15056
    > mfernandez@fdta-valles.org
    > www.fdta-valles.org
    > Cochabamba - Bolivia
    >
    >
    >

    --
    __________
    Etapien
    ---------------------------------------------------------------------------
    Earn your MS in Information Security ONLINE Organizations worldwide are in need of highly qualified information security professionals.  Norwich University is fulfilling this demand with its MS in Information Security offered online.  Recognized by the NSA as an academically excellent program, NU offers you the opportunity to earn your degree without disrupting your home or work life.
    http://www.msia.norwich.edu/secfocus_en
    ----------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    Earn your MS in Information Security ONLINE
    Organizations worldwide are in need of highly qualified information security 
    professionals.  Norwich University is fulfilling this demand with its MS in 
    Information Security offered online.  Recognized by the NSA as an 
    academically excellent program, NU offers you the opportunity to earn your 
    degree without disrupting your home or work life.
    http://www.msia.norwich.edu/secfocus_en
    ----------------------------------------------------------------------------
    

  • Next message: Ko, Kang: "RE: Conference Wireless"

    Relevant Pages

    • RE: Hacked
      ... the virus still goes on... ... The virus/hacker created a folder named RADMIN, ... Earn your MS in Information Security ONLINE ...
      (Security-Basics)
    • Re: Hacked
      ... > the virus still goes on... ... > The virus/hacker created a folder named RADMIN, ... Earn your MS in Information Security ONLINE ... Organizations worldwide are in need of highly qualified information security professionals. ...
      (Security-Basics)
    • Re: Hacked
      ... >the virus still goes on... ... >The virus/hacker created a folder named RADMIN, ... Earn your MS in Information Security ONLINE ...
      (Security-Basics)
    • Re: Hacked
      ... format the entire system and reinstall everything. ... > the virus still goes on... ... Earn your MS in Information Security ONLINE ...
      (Security-Basics)
    • The ISO17799 Security Newsletter - Issue 3
      ... The third edition of the ISO17799 Newsletter has been published this ... commentary on recent Information Security incidents. ... Internet and E-mail: ... ISO17799 Section 8: When a Virus Attacks ...
      (comp.security.misc)