Re: Compromised Windows Server

["Jamie Riden" <jamesr () europe com>]

On 06/06/06, Patrick Beam <patrick.beam () gmail com> wrote:
> Came in this morning to find a windows 2003 server I manage scanning the
> Internet for machines listening on tcp 139 and 445.  While looking at the
> machine I noticed the following processes running.
>
> Mwvsta.exe found in c:\windows\system32
> rundll16.exe c:\windows\system23
> Ponoas.exe  c:\windows\system32
>
> I believe that the ponoas.exe is some sort of rootkit although searching on
> google for this file name returns nothing.  Also searching
> mwvsta.exereturns nothing.  At this point I have removed these files
> from the system and registry but am weary that the server will get hit again.

To be sure, you need to re-install from known-good media.

> Has anyone had an experience with the following file or have any idea what rookkit of
> virus they are associated with?

Some viruses use random filenames. If you've deleted them then there's
no way to tell for sure what they were - if you do have them, send the
files to http://www.virustotal.com/ for a diagnosis - though I would
still re-install the box.

cheers,
Jamie
--
Jamie Riden / jamesr () europe com / jamie.riden () computer org
NZ Honeynet project - http://www.nz-honeynet.org/

------------------------------------------------------------------------------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29. August 3 in Las Vegas. 
World renowned security experts reveal tomorrow.s threats today. Free of 
vendor pitches, the Briefings are designed to be pragmatic regardless of your 
security environment. Featuring 36 hands-on training courses and 10 conference 
tracks, networking opportunities with over 2,500 delegates from 40+ nations. 

http://www.blackhat.com
------------------------------------------------------------------------------