Educause Security Discussion mailing list archives
Re: Ph0t0Sh0p.exe
From: Gaby <gaby.Hoffmann () ANU EDU AU>
Date: Wed, 15 Sep 2004 11:03:17 +1000
I don't know how to clean them out, but the machines we had recently doing ping scans were part of a botnet controlled by 210.183.110.86 on TCP port 64444. Cheers. Gaby Andrew Watson wrote:
We have had two student systems show up on campus displaying Nachi/Welchia activity (caught by our MS-RPCDCOM filter 2289 on tipping point). After we got our hands on the systems, none of our standard cleaning tools or AV software were successful at finding any problems. The only thing that we could find out of the ordinary was a single program, Ph0t0Sh0p.exe, that looked suspicious. It constantly takes about 70% CPU on both systems, and will trigger over 3000 alerts per hour on tipping point if connected to the network. I am going to have the students wipe the machines and re-install, I was curious to find out if anyone on this list had seen this type of activity? We have tried Symantec AV, Blaster/Nachi/Welchia cleaning utilities, spybot, and adaware with no success. Any advice would be greatly appreciated. Sincerely, Andrew Watson Sr. Systems Administrator The Colorado College 14 E. Cache La Poudre St. Armstrong Hall, 1A Colorado Springs, CO 80903 Phone: 719-389-6733 Fax: 719-389-6733 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
-- ___________________________________________________________________________ Gaby Hoffmann E-Mail : Gaby.Hoffmann () anu edu au Networks and Communications, IIS Phone : (02) 6125 3264 Mob:0410 348 254 Leonard Huxley Building #56 Fax : (02) 6125 8199 internal:58199 Australian National University Canberra, ACT 0200 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Ph0t0Sh0p.exe Andrew Watson (Sep 13)
- <Possible follow-ups>
- Re: Ph0t0Sh0p.exe Gaby (Sep 14)
- Re: Ph0t0Sh0p.exe Lucas, Bryan (Sep 14)
- Re: Ph0t0Sh0p.exe Andrew Watson (Sep 15)