RE: Hacked (...still cleaning)
From: Serge Jorgensen (sjorgensen_at_usinfosec.com)
Date: 04/19/05
- Previous message: Bart Crijns: "Re: VNC Security"
- Maybe in reply to: Mauricio Fernandez: "RE: Hacked (...still cleaning)"
- Next in thread: Kirk Brady: "RE: Hacked (...still cleaning)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <mfernandez@fdta-valles.org>, <security-basics@securityfocus.com> Date: Tue, 19 Apr 2005 17:27:07 -0400
Mauricio,
Without checking, system restore may be dumping it back in there.
R/
Serge
-----Original Message-----
From: "Mauricio Fernandez"<mfernandez@fdta-valles.org>
Sent: 4/19/05 4:10:12 PM
To: "security-basics@securityfocus.com"<security-basics@securityfocus.com>
Subject: RE: Hacked (...still cleaning)
One thing I am trying to do is to hide the cmd.exe file to avoid the
possibility of running some programs. I searched the file on the hole
system and deleted from \system32\ and \I386\ folders, copied into a
folder no included on the system path with a different name. But if I
invoke cmd.exe, it appears again on \system32\
Does anyone knows how to remove it?
Mauricio Fernández S.
IT Manager
Tel. 591- 445-25160
Fax. 591- 441-15056
mfernandez@fdta-valles.org
www.fdta-valles.org
Cochabamba - Bolivia
-----Original Message-----
From: Louie [mailto:tech.louie@verizon.net]
Sent: Sunday, April 17, 2005 1:38 PM
To: 'Paul Marsh'; security-basics@securityfocus.com
Subject: RE: Hacked
Other thing also do you have a router or some kind of switch? If you
have a router you should be albe to see from your logs which ip address
is hitting those port he is trying to connect.
-----Original Message-----
From: Paul Marsh [mailto:pmarsh@nmefdn.org]
Sent: Friday, April 15, 2005 8:02 AM
To: security-basics@securityfocus.com
Subject: RE: Hacked
Once the system is clean, if you can ever get it to that point without
flatting it. Makes sure you monitor outbound connection, don't want
this thing to call home to mommy and put you right back at square one
again.
-----Original Message-----
From: Etapien [mailto:etapien@gmail.com]
Sent: Friday, April 15, 2005 10:16 AM
To: mfernandez@fdta-valles.org
Cc: security-basics@securityfocus.com
Subject: Re: Hacked
Well, he actually installed a remote administration tool (radmin) to
have control over the system whenever he wants. check those 2 batch
files, he used that for installing it as a service probably, open it
with a text editor (notepad) and check what the commands are, then you
will see what to stop. it's probably some service he installed to make
sure it keeps on running, if you can do this with the machine offline if
would be the best because when it's connected to the internet those
processes are eating up all of the cpu usage and bandwidth. after you
have found and deleted whatever process that shouldn't be there then I
would suggest you install some firewall to avoid open ports from being
accessed by anyone who scans your ip and tries to break in.
On 4/14/05, Mauricio Fernandez <mfernandez@fdta-valles.org> wrote:
> This morning I found a wwwhack window opened on one of my w2k servers,
> antivirus agent was deleted (TrendMicro) and when I reinstall it back,
> it found about 4500 viruses named PE_PARITE.B
>
> Now the virus is still regenerating itself creating files on
> winnt\temp folder, I saw the task list and stopped all the suspicious
> process, but the virus still goes on...
>
> The virus/hacker created a folder named RADMIN, where he copied these
> files:
> r_server.exe
> admdll.dll
> hide.reg
> raddrv.dll
> pro.bat
> start.bat
>
> Does anyone knows how to remove this virus and avoid this hack
> vulnerability?
>
> Mauricio Fernández S.
> IT Manager
> Tel. 591- 445-25160
> Fax. 591- 441-15056
> mfernandez@fdta-valles.org
> www.fdta-valles.org
> Cochabamba - Bolivia
>
>
>
-- __________ Etapien ------------------------------------------------------------------------ --- Earn your MS in Information Security ONLINE Organizations worldwide are in need of highly qualified information security professionals. Norwich University is fulfilling this demand with its MS in Information Security offered online. Recognized by the NSA as an academically excellent program, NU offers you the opportunity to earn your degree without disrupting your home or work life. http://www.msia.norwich.edu/secfocus_en ------------------------------------------------------------------------ ---- ------------------------------------------------------------------------ --- Earn your MS in Information Security ONLINE Organizations worldwide are in need of highly qualified information security professionals. Norwich University is fulfilling this demand with its MS in Information Security offered online. Recognized by the NSA as an academically excellent program, NU offers you the opportunity to earn your degree without disrupting your home or work life. http://www.msia.norwich.edu/secfocus_en ------------------------------------------------------------------------ ---- Sylint Cyber Security, Intelligence & Analysis Serge Jorgensen +1.941.951.6015 sjorgensen@usinfosec.com The Sylint Group PO Box 49886 Sarasota, Florida 34230 USA -------------------------------------------------------------------------------- This message, including any attachments, contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, please contact the sender immediately by reply email and destroy all copies. You are hereby notified that any disclosure, copying or distribution of this message, or the taking of any action based on it, is strictly prohibited.
- Previous message: Bart Crijns: "Re: VNC Security"
- Maybe in reply to: Mauricio Fernandez: "RE: Hacked (...still cleaning)"
- Next in thread: Kirk Brady: "RE: Hacked (...still cleaning)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
