RE: Hacked

["Mauricio Fernandez" <mfernandez () fdta-valles org>]

I copied the folder on my lap, but the logs file doesn't has information
about the hacker or his intentions, only has some copy/move/prepare
information


Mauricio Fernández S.
IT Manager
Tel. 591- 445-25160
Fax. 591- 441-15056
mfernandez () fdta-valles org
www.fdta-valles.org
Cochabamba - Bolivia

-----Original Message-----
From: luuk stoop [mailto:luukstoop () gmail com] 
Sent: Thursday, April 14, 2005 2:16 PM
To: mfernandez () fdta-valles org
Subject: Re: Hacked

Me again,

you could trace this hacker by looking in to the log files from Remote
Administrator.
So I hope you did not remove it already.

Luuk

On 4/14/05, luuk stoop <luukstoop () gmail com> wrote:
> Dear Sir,
>
> The files in the dir RADMIN contain a program called remote
> administrator, it opens telnet and a remote admin connection. You can
> simple remove it by uninstall from Remote Administrator.
>
> I hope this helps
> Sincirli
> Luuk
>
> On 4/14/05, Mauricio Fernandez <mfernandez () fdta-valles org> wrote:
> > This morning I found a wwwhack window opened on one of my w2k servers,
> > antivirus agent was deleted (TrendMicro) and when I reinstall it back,
it
> > found about 4500 viruses named PE_PARITE.B
> >
> > Now the virus is still regenerating itself creating files on
winnt\temp
> > folder, I saw the task list and stopped all the suspicious process,
but
> > the virus still goes on...
> >
> > The virus/hacker created a folder named RADMIN, where he copied these
> > files:
> > r_server.exe
> > admdll.dll
> > hide.reg
> > raddrv.dll
> > pro.bat
> > start.bat
> >
> > Does anyone knows how to remove this virus and avoid this hack
> > vulnerability?
> >
> >
> > Mauricio Fernández S.
> > IT Manager
> > Tel. 591- 445-25160
> > Fax. 591- 441-15056
> > mfernandez () fdta-valles org
> > www.fdta-valles.org
> > Cochabamba - Bolivia

Attachment: smime.p7s
Description: