Security Incidents mailing list archives
Re: Compromised Windows Server
From: df () odette es
Date: 8 Jun 2006 18:48:08 -0000
Hi all, I have had the same problem with the : Mwvsta.exe found in c:\windows\system32 and Ponoas.exe c:\windows\system32 although rundll16.exe c:\windows\system23 was not present in my PC, obviously rundll32.exe is there anyway (it may serve the same purpose, probably). I observed the Mwvsta.exe running through my "task manager" and it was constantly acting, even after a new reboot it was launched again. I spotted the file name in the registry in : HKCU/Software/Microsoft/Windows/CurrentVersion/Run Which is obviously launched at boot time. I succeded to kill it by blocking the access of Mwvsta.exe with a firewall tool (in fact: McAffee) and then deleting the registry key and rebooting afterwards. After I erased that key from the registry the previous constant outgoing FTP flow, through port 139 (as you mentioned), to lots of different IPs was finished (in my opinion it may be a "spamming" program or something similar). Before that, I also received a constant flow of information and that is all I observed before starting my attack against it. As additional information I attach this proof of evidence which I have obtained after deleting that Mwvsta.exe. It seems it is still trying to continue with its activitu althoug it cannot enter now. Firewall Log Table (copied form my Linksys router)... just a small part of it, it was going mad constantly... NO. Time Packet Information Reason Action 001 Jun 0806 21:01:23 From:205.177.79.126:1901 To: my IP TCP default permit <2,00> block 003 Jun 0806 21:01:26 From:205.177.79.126:1901 To: my IP TCP default permit <2,00> block 005 Jun 0806 21:01:28 From:81.177.37.67:51502 To: my IP TCP default permit <2,00> block 007 Jun 0806 21:01:32 From:205.177.79.126:1901 To: my IP TCP default permit <2,00> block 008 Jun 0806 21:01:37 From:81.177.37.68:49969 To: my IP TCP default permit <2,00> block 009 Jun 0806 21:01:41 From:67.159.22.107:4878 To: my IP TCP default permit <2,00> block 010 Jun 0806 21:01:46 From:81.177.37.68:49969 To: my IP TCP default permit <2,00> block 011 Jun 0806 21:01:48 From:81.177.37.67:53683 To: my IP TCP default permit <2,00> block 012 Jun 0806 21:01:50 From:67.159.22.107:4878 To: my IP TCP default permit <2,00> block 013 Jun 0806 21:01:51 From:81.177.37.67:53683 To: my IP TCP default permit <2,00> block 014 Jun 0806 21:01:51 From:66.185.126.84:4115 To: my IP TCP default permit <2,00> block ...end of my story... ...hope it helps finding that PHANTOM ATTACK. If I get it again I will be more cautious and study it carefully before deleting it. Kind regards to all for your hints. David ------------------------------------------------------------------------------ This List Sponsored by: Black Hat Attend the Black Hat Briefings & Training USA, July 29. August 3 in Las Vegas. World renowned security experts reveal tomorrow.s threats today. Free of vendor pitches, the Briefings are designed to be pragmatic regardless of your security environment. Featuring 36 hands-on training courses and 10 conference tracks, networking opportunities with over 2,500 delegates from 40+ nations. http://www.blackhat.com ------------------------------------------------------------------------------
Current thread:
- Re: Compromised Windows Server, (continued)
- Re: Compromised Windows Server Axel Pettinger (Jun 06)
- Re: Compromised Windows Server Harlan Carvey (Jun 06)
- Re: Compromised Windows Server Patrick Beam (Jun 06)
- Re: Compromised Windows Server Kees Leune (Jun 07)
- Re: Compromised Windows Server Isaac Perez (Jun 06)
- Re: Compromised Windows Server Macleonard Starkey (Jun 06)
- Re: Re: Compromised Windows Server wnorth (Jun 05)
- Re: Compromised Windows Server Butterworth, Jim (Jun 06)
- Re: Compromised Windows Server ross (Jun 06)
- RE: Compromised Windows Server Alan Davies (Jun 08)
- Re: Compromised Windows Server df (Jun 08)