Re: Ph0t0Sh0p.exe

[Gaby <gaby.Hoffmann () ANU EDU AU>]

I don't know how to clean them out, but the machines we had
recently doing ping scans were part of a botnet controlled by
210.183.110.86 on TCP port 64444.

Cheers.

Gaby

Andrew Watson wrote:

> We have had two student systems show up on campus displaying
> Nachi/Welchia activity (caught by our MS-RPCDCOM filter 2289 on tipping
> point).  After we got our hands on the systems, none of our standard
> cleaning tools or AV software were successful at finding any problems.
> The only thing that we could find out of the ordinary was a single
> program, Ph0t0Sh0p.exe, that looked suspicious.  It constantly takes
> about 70% CPU on both systems, and will trigger over 3000 alerts per
> hour on tipping point if connected to the network.  I am going to have
> the students wipe the machines and re-install, I was curious to find out
> if anyone on this list had seen this type of activity?  We have tried
> Symantec AV, Blaster/Nachi/Welchia cleaning utilities, spybot, and
> adaware with no success.
>
>
>
> Any advice would be greatly appreciated.
>
>
>
> Sincerely,
>
>
>
>
>
> Andrew Watson
>
> Sr. Systems Administrator
>
> The Colorado College
>
> 14 E. Cache La Poudre St.
>
> Armstrong Hall, 1A
>
> Colorado Springs, CO 80903
>
> Phone: 719-389-6733
>
> Fax: 719-389-6733
>
>
>
> ********** Participation and subscription information for this EDUCAUSE
> Discussion Group discussion list can be found at
> http://www.educause.edu/cg/.


--
___________________________________________________________________________
Gaby Hoffmann                       E-Mail : Gaby.Hoffmann () anu edu au
Networks and Communications, IIS    Phone : (02) 6125 3264 Mob:0410 348 254
Leonard Huxley Building #56         Fax   : (02) 6125 8199 internal:58199
Australian National University      Canberra, ACT 0200

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.