Re: Hacked

[Jacob Bresciani <jacob () bresciani ca>]

disconnect that machine from the internet while you clean it, looks like
a trojan downloader got on.

as you clean the virus's it's downloading new ones.

check for new/modified services and extra lines in
HKLM/software/microsoft/windows/current version/run and all it's other
iterations.

get fport from sysinternals.com (I think that's where I got it) and see
what's trying to connect out or waiting for incoming connections. most
likely the trojan is pulling things down rather than having software
pushed to it as this way it could bypass the average firewall.

On Thu, 2005-04-14 at 10:46 -0400, Mauricio Fernandez wrote:
> This morning I found a wwwhack window opened on one of my w2k servers,
> antivirus agent was deleted (TrendMicro) and when I reinstall it back, it
> found about 4500 viruses named PE_PARITE.B
>
> Now the virus is still regenerating itself creating files on winnt\temp
> folder, I saw the task list and stopped all the suspicious process, but
> the virus still goes on...
>
> The virus/hacker created a folder named RADMIN, where he copied these
> files:
> r_server.exe
> admdll.dll
> hide.reg
> raddrv.dll
> pro.bat
> start.bat
>
> Does anyone knows how to remove this virus and avoid this hack
> vulnerability?
>
>
> Mauricio Fernández S.
> IT Manager
> Tel. 591- 445-25160
> Fax. 591- 441-15056
> mfernandez () fdta-valles org
> www.fdta-valles.org
> Cochabamba - Bolivia


---------------------------------------------------------------------------
Earn your MS in Information Security ONLINE
Organizations worldwide are in need of highly qualified information security 
professionals.  Norwich University is fulfilling this demand with its MS in 
Information Security offered online.  Recognized by the NSA as an 
academically excellent program, NU offers you the opportunity to earn your 
degree without disrupting your home or work life.

http://www.msia.norwich.edu/secfocus_en
----------------------------------------------------------------------------