RE: Hacked (...still cleaning)

From: Serge Jorgensen (sjorgensen_at_usinfosec.com)
Date: 04/19/05

  • Next message: P. Rodriguez: "RE: Steps to avoid Social Engineering"
    To: <mfernandez@fdta-valles.org>, <security-basics@securityfocus.com>
    Date: Tue, 19 Apr 2005 17:27:07 -0400
    
    

    Mauricio,

    Without checking, system restore may be dumping it back in there.

    R/
      Serge

    -----Original Message-----
    From: "Mauricio Fernandez"<mfernandez@fdta-valles.org>
    Sent: 4/19/05 4:10:12 PM
    To: "security-basics@securityfocus.com"<security-basics@securityfocus.com>
    Subject: RE: Hacked (...still cleaning)

    One thing I am trying to do is to hide the cmd.exe file to avoid the
    possibility of running some programs. I searched the file on the hole
    system and deleted from \system32\ and \I386\ folders, copied into a
    folder no included on the system path with a different name. But if I
    invoke cmd.exe, it appears again on \system32\

    Does anyone knows how to remove it?

    Mauricio Fernández S.
    IT Manager
    Tel. 591- 445-25160
    Fax. 591- 441-15056
    mfernandez@fdta-valles.org
    www.fdta-valles.org
    Cochabamba - Bolivia

    -----Original Message-----
    From: Louie [mailto:tech.louie@verizon.net]
    Sent: Sunday, April 17, 2005 1:38 PM
    To: 'Paul Marsh'; security-basics@securityfocus.com
    Subject: RE: Hacked

    Other thing also do you have a router or some kind of switch? If you
    have a router you should be albe to see from your logs which ip address
    is hitting those port he is trying to connect.

    -----Original Message-----
    From: Paul Marsh [mailto:pmarsh@nmefdn.org]
    Sent: Friday, April 15, 2005 8:02 AM
    To: security-basics@securityfocus.com
    Subject: RE: Hacked

    Once the system is clean, if you can ever get it to that point without
    flatting it. Makes sure you monitor outbound connection, don't want
    this thing to call home to mommy and put you right back at square one
    again.

    -----Original Message-----
    From: Etapien [mailto:etapien@gmail.com]
    Sent: Friday, April 15, 2005 10:16 AM
    To: mfernandez@fdta-valles.org
    Cc: security-basics@securityfocus.com
    Subject: Re: Hacked

    Well, he actually installed a remote administration tool (radmin) to
    have control over the system whenever he wants. check those 2 batch
    files, he used that for installing it as a service probably, open it
    with a text editor (notepad) and check what the commands are, then you
    will see what to stop. it's probably some service he installed to make
    sure it keeps on running, if you can do this with the machine offline if
    would be the best because when it's connected to the internet those
    processes are eating up all of the cpu usage and bandwidth. after you
    have found and deleted whatever process that shouldn't be there then I
    would suggest you install some firewall to avoid open ports from being
    accessed by anyone who scans your ip and tries to break in.

    On 4/14/05, Mauricio Fernandez <mfernandez@fdta-valles.org> wrote:
    > This morning I found a wwwhack window opened on one of my w2k servers,
    > antivirus agent was deleted (TrendMicro) and when I reinstall it back,

    > it found about 4500 viruses named PE_PARITE.B
    >
    > Now the virus is still regenerating itself creating files on
    > winnt\temp folder, I saw the task list and stopped all the suspicious
    > process, but the virus still goes on...
    >
    > The virus/hacker created a folder named RADMIN, where he copied these
    > files:
    > r_server.exe
    > admdll.dll
    > hide.reg
    > raddrv.dll
    > pro.bat
    > start.bat
    >
    > Does anyone knows how to remove this virus and avoid this hack
    > vulnerability?
    >
    > Mauricio Fernández S.
    > IT Manager
    > Tel. 591- 445-25160
    > Fax. 591- 441-15056
    > mfernandez@fdta-valles.org
    > www.fdta-valles.org
    > Cochabamba - Bolivia
    >
    >
    >

    --
    __________
    Etapien
    ------------------------------------------------------------------------
    ---
    Earn your MS in Information Security ONLINE Organizations worldwide are
    in need of highly qualified information security professionals.  Norwich
    University is fulfilling this demand with its MS in Information Security
    offered online.  Recognized by the NSA as an academically excellent
    program, NU offers you the opportunity to earn your degree without
    disrupting your home or work life.
    http://www.msia.norwich.edu/secfocus_en
    ------------------------------------------------------------------------
    ----
    ------------------------------------------------------------------------
    ---
    Earn your MS in Information Security ONLINE
    Organizations worldwide are in need of highly qualified information
    security 
    professionals.  Norwich University is fulfilling this demand with its MS
    in 
    Information Security offered online.  Recognized by the NSA as an 
    academically excellent program, NU offers you the opportunity to earn
    your 
    degree without disrupting your home or work life.
    http://www.msia.norwich.edu/secfocus_en
    ------------------------------------------------------------------------
    ----
    Sylint
    Cyber Security,
    Intelligence & Analysis
    Serge Jorgensen
    +1.941.951.6015
    sjorgensen@usinfosec.com
    The Sylint Group
    PO Box 49886
    Sarasota, Florida 34230 USA 
    --------------------------------------------------------------------------------
    This message, including any attachments, contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, please contact the sender immediately by reply email and destroy all copies. You are hereby notified that any disclosure, copying or distribution of this message, or the taking of any action based on it, is strictly prohibited.
    

  • Next message: P. Rodriguez: "RE: Steps to avoid Social Engineering"