Re: Hacked

[Matan Peled <chaosite () gmail com>]

Mauricio Fernandez wrote:
> This morning I found a wwwhack window opened on one of my w2k servers,
> antivirus agent was deleted (TrendMicro) and when I reinstall it back, it
> found about 4500 viruses named PE_PARITE.B
>
> Now the virus is still regenerating itself creating files on winnt\temp
> folder, I saw the task list and stopped all the suspicious process, but
> the virus still goes on...
>
> The virus/hacker created a folder named RADMIN, where he copied these
> files:
> r_server.exe
> admdll.dll
> hide.reg
> raddrv.dll
> pro.bat
> start.bat
>
> Does anyone knows how to remove this virus and avoid this hack
> vulnerability?

First of all, RADMIN is most obviously "Remote Admin", which means he left
himself a backdoor.

My hints - get your data off that server, and completely reinstall the machine.

Note that the virus makes a DLL that attaches itself to the Explorer process,
which means that you effectively cannot see the virus's process in the task manager.

Also, the virus spreads by exe/scr files, so be careful. To avoid being hacked
again, find out how the hacker got in - possibly through the software being run
on the server.

-- 
[Name      ]   ::  [Matan I. Peled    ]
[Location  ]   ::  [Israel            ]
[Public Key]   ::  [0xD6F42CA5        ]
[Keyserver ]   ::  [keyserver.kjsl.com]
encrypted/signed  plain text  preferred

Attachment: signature.asc
Description: OpenPGP digital signature