Security Basics mailing list archives
Re: Hacked
From: "matt donovan" <gothicnight2002 () msn com>
Date: Mon, 18 Apr 2005 13:15:06 -0400
Also check the system32 folder for a file called ramall.bat or something close to it since that is what "rooters" use to uninstall an irc bot if one is installed.
From: Etapien <etapien () gmail com> Reply-To: Etapien <etapien () gmail com> To: mfernandez () fdta-valles org CC: security-basics () securityfocus com Subject: Re: Hacked Date: Fri, 15 Apr 2005 09:15:41 -0500 Well, he actually installed a remote administration tool (radmin) to have control over the system whenever he wants. check those 2 batch files, he used that for installing it as a service probably, open it with a text editor (notepad) and check what the commands are, then you will see what to stop. it's probably some service he installed to make sure it keeps on running, if you can do this with the machine offline if would be the best because when it's connected to the internet those processes are eating up all of the cpu usage and bandwidth. after you have found and deleted whatever process that shouldn't be there then I would suggest you install some firewall to avoid open ports from being accessed by anyone who scans your ip and tries to break in. On 4/14/05, Mauricio Fernandez <mfernandez () fdta-valles org> wrote: > This morning I found a wwwhack window opened on one of my w2k servers,> antivirus agent was deleted (TrendMicro) and when I reinstall it back, it> found about 4500 viruses named PE_PARITE.B > > Now the virus is still regenerating itself creating files on winnt\temp > folder, I saw the task list and stopped all the suspicious process, but > the virus still goes on... > > The virus/hacker created a folder named RADMIN, where he copied these > files: > r_server.exe > admdll.dll > hide.reg > raddrv.dll > pro.bat > start.bat > > Does anyone knows how to remove this virus and avoid this hack > vulnerability? > > Mauricio Fernández S. > IT Manager > Tel. 591- 445-25160 > Fax. 591- 441-15056 > mfernandez () fdta-valles org > www.fdta-valles.org > Cochabamba - Bolivia > > > -- __________ Etapien --------------------------------------------------------------------------- Earn your MS in Information Security ONLINEOrganizations worldwide are in need of highly qualified information securityprofessionals. Norwich University is fulfilling this demand with its MS in Information Security offered online. Recognized by the NSA as an academically excellent program, NU offers you the opportunity to earn your degree without disrupting your home or work life. http://www.msia.norwich.edu/secfocus_en ----------------------------------------------------------------------------
Current thread:
- Re: Hacked, (continued)
- Re: Hacked Markus Pieton (Apr 14)
- Re: Hacked Jacob Bresciani (Apr 14)
- Re: Hacked Ansgar -59cobalt- Wiechers (Apr 18)
- Re: Hacked Nathaniel Hall (Apr 14)
- Re: Hacked Valentin Höbel (Apr 14)
- Re: Hacked xyberpix (Apr 14)
- Re: Hacked Alen Capalik (Apr 14)
- Re: Hacked Matan Peled (Apr 14)
- RE: Hacked lista (Apr 14)
- Re: Hacked Etapien (Apr 15)
- Re: Hacked matt donovan (Apr 18)
- RE: Hacked Joshua Berry (Apr 14)
- RE: Hacked Jason DeCamp (Apr 14)
- RE: Hacked Steve Scholz (Apr 14)
- RE: Hacked Conlan Adams (Apr 14)
- RE: Hacked Mauricio Fernandez (Apr 14)
- RE: Hacked Mauricio Fernandez (Apr 14)
- RE: Hacked Mauricio Fernandez (Apr 14)
- Re: Hacked Donald Voss (Apr 14)
- RE: Hacked Paul Marsh (Apr 15)
- RE: Hacked Louie (Apr 18)
(Thread continues...)