Security Basics mailing list archives
RE: Hacked (...still cleaning)
From: "Serge Jorgensen" <sjorgensen () usinfosec com>
Date: Tue, 19 Apr 2005 17:27:07 -0400
Mauricio, Without checking, system restore may be dumping it back in there. R/ Serge -----Original Message----- From: "Mauricio Fernandez"<mfernandez () fdta-valles org> Sent: 4/19/05 4:10:12 PM To: "security-basics () securityfocus com"<security-basics () securityfocus com> Subject: RE: Hacked (...still cleaning) One thing I am trying to do is to hide the cmd.exe file to avoid the possibility of running some programs. I searched the file on the hole system and deleted from \system32\ and \I386\ folders, copied into a folder no included on the system path with a different name. But if I invoke cmd.exe, it appears again on \system32\ Does anyone knows how to remove it? Mauricio Fernández S. IT Manager Tel. 591- 445-25160 Fax. 591- 441-15056 mfernandez () fdta-valles org www.fdta-valles.org Cochabamba - Bolivia -----Original Message----- From: Louie [mailto:tech.louie () verizon net] Sent: Sunday, April 17, 2005 1:38 PM To: 'Paul Marsh'; security-basics () securityfocus com Subject: RE: Hacked Other thing also do you have a router or some kind of switch? If you have a router you should be albe to see from your logs which ip address is hitting those port he is trying to connect. -----Original Message----- From: Paul Marsh [mailto:pmarsh () nmefdn org] Sent: Friday, April 15, 2005 8:02 AM To: security-basics () securityfocus com Subject: RE: Hacked Once the system is clean, if you can ever get it to that point without flatting it. Makes sure you monitor outbound connection, don't want this thing to call home to mommy and put you right back at square one again. -----Original Message----- From: Etapien [mailto:etapien () gmail com] Sent: Friday, April 15, 2005 10:16 AM To: mfernandez () fdta-valles org Cc: security-basics () securityfocus com Subject: Re: Hacked Well, he actually installed a remote administration tool (radmin) to have control over the system whenever he wants. check those 2 batch files, he used that for installing it as a service probably, open it with a text editor (notepad) and check what the commands are, then you will see what to stop. it's probably some service he installed to make sure it keeps on running, if you can do this with the machine offline if would be the best because when it's connected to the internet those processes are eating up all of the cpu usage and bandwidth. after you have found and deleted whatever process that shouldn't be there then I would suggest you install some firewall to avoid open ports from being accessed by anyone who scans your ip and tries to break in. On 4/14/05, Mauricio Fernandez <mfernandez () fdta-valles org> wrote:
This morning I found a wwwhack window opened on one of my w2k servers, antivirus agent was deleted (TrendMicro) and when I reinstall it back,
it found about 4500 viruses named PE_PARITE.B Now the virus is still regenerating itself creating files on winnt\temp folder, I saw the task list and stopped all the suspicious process, but the virus still goes on... The virus/hacker created a folder named RADMIN, where he copied these files: r_server.exe admdll.dll hide.reg raddrv.dll pro.bat start.bat Does anyone knows how to remove this virus and avoid this hack vulnerability? Mauricio Fernández S. IT Manager Tel. 591- 445-25160 Fax. 591- 441-15056 mfernandez () fdta-valles org www.fdta-valles.org Cochabamba - Bolivia
-- __________ Etapien ------------------------------------------------------------------------ --- Earn your MS in Information Security ONLINE Organizations worldwide are in need of highly qualified information security professionals. Norwich University is fulfilling this demand with its MS in Information Security offered online. Recognized by the NSA as an academically excellent program, NU offers you the opportunity to earn your degree without disrupting your home or work life. http://www.msia.norwich.edu/secfocus_en ------------------------------------------------------------------------ ---- ------------------------------------------------------------------------ --- Earn your MS in Information Security ONLINE Organizations worldwide are in need of highly qualified information security professionals. Norwich University is fulfilling this demand with its MS in Information Security offered online. Recognized by the NSA as an academically excellent program, NU offers you the opportunity to earn your degree without disrupting your home or work life. http://www.msia.norwich.edu/secfocus_en ------------------------------------------------------------------------ ---- Sylint Cyber Security, Intelligence & Analysis Serge Jorgensen +1.941.951.6015 sjorgensen () usinfosec com The Sylint Group PO Box 49886 Sarasota, Florida 34230 USA -------------------------------------------------------------------------------- This message, including any attachments, contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, please contact the sender immediately by reply email and destroy all copies. You are hereby notified that any disclosure, copying or distribution of this message, or the taking of any action based on it, is strictly prohibited.
Current thread:
- RE: Hacked (...still cleaning) Horn Michael (Apr 20)
- <Possible follow-ups>
- RE: Hacked (...still cleaning) Beauford, Jason (Apr 20)
- RE: Hacked (...still cleaning) Serge Jorgensen (Apr 20)
- RE: Hacked (...still cleaning) Kirk Brady (Apr 20)
- RE: Hacked (...still cleaning) Jonathan Loh (Apr 21)
- RE: Hacked (...still cleaning) Kirk Brady (Apr 22)
- Password Audits Jair (Apr 25)
- Re: Password Audits Jeff Ferris (Apr 26)
- Re: Password Audits Mani.682001 () gmail com (Apr 26)
- Re: Password Audits Adam Jones (Apr 26)
- RE: Password Audits . (Apr 26)
- RE: Password Audits Donald N Kenepp (Apr 27)
- Password Audits Jair (Apr 25)
- Re: Password Audits tmanster (Apr 26)