RE: Hacked (...still cleaning)

["Kirk Brady" <Kirk.Brady () TeachersHealth com au>]

deleted meaning it wont re-appear by  windows file protection restoring it
of course if you WANT to recover it manually, then of course this doesnt cut it

-----Original Message-----
From: Jonathan Loh [mailto:kj6loh () yahoo com]
Sent: Thursday, 21 April 2005 6:59 PM
To: Kirk Brady; security-basics () securityfocus com
Subject: RE: Hacked (...still cleaning)


Really?  Last time I checked only the first couple bytes of the name were
overwritten.  Very easy to retrieve. Windows may even have a file recovery
tool.
If you want good protection you really need to wipe (some call it secure erase)
the file.  If you want to recover from this it can be expensive and iffy at
best.  
This document is a bit dated but it still applies.
<a
href="http://www.usenix.org/publications/library/proceedings/sec96/full_papers/gutmann/";>Article</a>
--- Kirk Brady <Kirk.Brady () TeachersHealth com au> wrote:

> if this is windows 2000 or windows xp, turn off windows file protection, and
> then once the file is deleted, it should STAY deleted
>
> -----Original Message-----
> From: Mauricio Fernandez [mailto:mfernandez () fdta-valles org]
> Sent: Tuesday, 19 April 2005 6:34 AM
> To: security-basics () securityfocus com
> Subject: RE: Hacked (...still cleaning)
>
>
> One thing I am trying to do is to hide the cmd.exe file to avoid the
> possibility of running some programs. I searched the file on the hole
> system and deleted from \system32\ and \I386\ folders, copied into a
> folder no included on the system path with a different name. But if I
> invoke cmd.exe, it appears again on \system32\
>
> Does anyone knows how to remove it?
>
>
> Mauricio Fernández S.
> IT Manager
> Tel. 591- 445-25160
> Fax. 591- 441-15056
> mfernandez () fdta-valles org
> www.fdta-valles.org
> Cochabamba - Bolivia
>
> -----Original Message-----
> From: Louie [mailto:tech.louie () verizon net] 
> Sent: Sunday, April 17, 2005 1:38 PM
> To: 'Paul Marsh'; security-basics () securityfocus com
> Subject: RE: Hacked
>
> Other thing also do you have a router or some kind of switch? If you
> have a router you should be albe to see from your logs which ip address
> is hitting those port he is trying to connect.
>
> -----Original Message-----
> From: Paul Marsh [mailto:pmarsh () nmefdn org] 
> Sent: Friday, April 15, 2005 8:02 AM
> To: security-basics () securityfocus com
> Subject: RE: Hacked
>
>
> Once the system is clean, if you can ever get it to that point without
> flatting it.  Makes sure you monitor outbound connection, don't want
> this thing to call home to mommy and put you right back at square one
> again. 
>
> -----Original Message-----
> From: Etapien [mailto:etapien () gmail com] 
> Sent: Friday, April 15, 2005 10:16 AM
> To: mfernandez () fdta-valles org
> Cc: security-basics () securityfocus com
> Subject: Re: Hacked
>
> Well,  he actually installed a remote administration tool (radmin) to
> have control over the system whenever he wants. check those 2 batch
> files, he used that for installing it as a service probably, open it
> with a text editor (notepad) and check what the commands are, then you
> will see what to stop. it's probably some service he installed to make
> sure it keeps on running, if you can do this with the machine offline if
> would be the best because when it's connected to the internet those
> processes are eating up all of the cpu usage and bandwidth. after you
> have found and deleted whatever process that shouldn't be there then I
> would suggest you install some firewall to avoid open ports from being
> accessed by anyone who scans your ip and tries to break in.
>
>
> On 4/14/05, Mauricio Fernandez <mfernandez () fdta-valles org> wrote:
> > This morning I found a wwwhack window opened on one of my w2k servers,
> > antivirus agent was deleted (TrendMicro) and when I reinstall it back,
>
> > it found about 4500 viruses named PE_PARITE.B
> >
> > Now the virus is still regenerating itself creating files on
> > winnt\temp folder, I saw the task list and stopped all the suspicious 
> > process, but the virus still goes on...
> >
> > The virus/hacker created a folder named RADMIN, where he copied these
> > files:
> > r_server.exe
> > admdll.dll
> > hide.reg
> > raddrv.dll
> > pro.bat
> > start.bat
> >
> > Does anyone knows how to remove this virus and avoid this hack
> > vulnerability?
> >
> > Mauricio Fernández S.
> > IT Manager
> > Tel. 591- 445-25160
> > Fax. 591- 441-15056
> > mfernandez () fdta-valles org
> > www.fdta-valles.org
> > Cochabamba - Bolivia
>
>
> --
>
> __________
> Etapien
>
> ------------------------------------------------------------------------
> ---
>
> Earn your MS in Information Security ONLINE Organizations worldwide are
> in need of highly qualified information security professionals.  Norwich
> University is fulfilling this demand with its MS in Information Security
> offered online.  Recognized by the NSA as an academically excellent
> program, NU offers you the opportunity to earn your degree without
> disrupting your home or work life.
>
> http://www.msia.norwich.edu/secfocus_en
> ------------------------------------------------------------------------
> ----
>
>
> ------------------------------------------------------------------------
> ---
> Earn your MS in Information Security ONLINE
> Organizations worldwide are in need of highly qualified information
> security 
> professionals.  Norwich University is fulfilling this demand with its MS
> in 
> Information Security offered online.  Recognized by the NSA as an 
> academically excellent program, NU offers you the opportunity to earn
> your 
> degree without disrupting your home or work life.
>
> http://www.msia.norwich.edu/secfocus_en
> ------------------------------------------------------------------------
> ----


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com