Security Basics mailing list archives

RE: Hacked

From: "Conlan Adams" <conlan () midwesteyebanks org>
Date: Thu, 14 Apr 2005 14:32:25 -0400

First take an image of the machine using ghost or a similar tool.
Second, take the machine off your network.
Third, format and reinstall the machine, apply all updates.
Forth, restore data from a backup.

At this point there is no telling what all they put on the machine, they could have it strewn with backdoors and 
trojans.

Once that much has been done, try to figure out how they got in using the image you took, or by seeing what might not 
have been updated.

Run the IIS lockdown tool, Baseline Security Analyzer, and other security tools to make sure your install is tight.

But first you really need to get that thing off your network.

Conlan Adams

-----Original Message-----
From: Mauricio Fernandez [mailto:mfernandez () fdta-valles org] 
Sent: Thursday, April 14, 2005 10:46 AM
To: security-basics () securityfocus com
Subject: Hacked

This morning I found a wwwhack window opened on one of my w2k servers,
antivirus agent was deleted (TrendMicro) and when I reinstall it back, it
found about 4500 viruses named PE_PARITE.B

Now the virus is still regenerating itself creating files on winnt\temp
folder, I saw the task list and stopped all the suspicious process, but
the virus still goes on...

The virus/hacker created a folder named RADMIN, where he copied these
files:
r_server.exe
admdll.dll
hide.reg
raddrv.dll
pro.bat
start.bat

Does anyone knows how to remove this virus and avoid this hack
vulnerability?


Mauricio Fernández S.
IT Manager
Tel. 591- 445-25160
Fax. 591- 441-15056
mfernandez () fdta-valles org
www.fdta-valles.org
Cochabamba - Bolivia


---------------------------------------------------------------------------
Earn your MS in Information Security ONLINE
Organizations worldwide are in need of highly qualified information security
professionals.  Norwich University is fulfilling this demand with its MS in
Information Security offered online.  Recognized by the NSA as an
academically excellent program, NU offers you the opportunity to earn your
degree without disrupting your home or work life.

http://www.msia.norwich.edu/secfocus_en
----------------------------------------------------------------------------

Current thread:

Re: Hacked, (continued)
- Re: Hacked Valentin Höbel (Apr 14)
- Re: Hacked xyberpix (Apr 14)
- Re: Hacked Alen Capalik (Apr 14)
- Re: Hacked Matan Peled (Apr 14)
- RE: Hacked lista (Apr 14)
- Re: Hacked Etapien (Apr 15)
  - Re: Hacked matt donovan (Apr 18)
- RE: Hacked Joshua Berry (Apr 14)
  - RE: Hacked Jason DeCamp (Apr 14)
- RE: Hacked Steve Scholz (Apr 14)
- RE: Hacked Conlan Adams (Apr 14)
- RE: Hacked Mauricio Fernandez (Apr 14)
- RE: Hacked Mauricio Fernandez (Apr 14)
- RE: Hacked Mauricio Fernandez (Apr 14)
- Re: Hacked Donald Voss (Apr 14)
- RE: Hacked Paul Marsh (Apr 15)
  - RE: Hacked Louie (Apr 18)
    - RE: Hacked (...still cleaning) Mauricio Fernandez (Apr 19)
    - Re: Hacked (...still cleaning) Thierry Zoller (Apr 20)
    - Re: Hacked (...still cleaning) Matan Peled (Apr 20)
    - Re: Hacked (...still cleaning) Dave Aronson (Apr 20)

(Thread continues...)