Security Basics mailing list archives
RE: Hacked (...still cleaning)
From: Nuno Costa <webcenter () sapo pt>
Date: Wed, 20 Apr 2005 09:31:04 +0100
alô Mauricio.. i don't know what services are you running in that box... but, this box is running with admin ??? if yes, just a advice, run it with a non-admin user, and disable cmd.exe, disable all programs, that the user don't need to use... denie permissions to write in \system32, \winnt \windows... and all folders in the system, that the user don't need to write... you can be able to set the files that you want the user run on the system... regards Nuno Costa Mauricio Fernandez : One thing I am trying to do is to hide the cmd.exe file to avoid the possibility of running some programs. I searched the file on the hole system and deleted from system32 and I386 folders, copied into a folder no included on the system path with a different name. But if I invoke cmd.exe, it appears again on system32 Does anyone knows how to remove it? Mauricio Fernández S. IT Manager Tel. 591- 445-25160 Fax. 591- 441-15056 mfernandez () fdta-valles org www.fdta-valles.org Cochabamba - Bolivia -----Original Message----- From: Louie [mailto:tech.louie () verizon net] Sent: Sunday, April 17, 2005 1:38 PM To: 'Paul Marsh'; security-basics () securityfocus com Subject: RE: Hacked Other thing also do you have a router or some kind of switch? If you have a router you should be albe to see from your logs which ip address is hitting those port he is trying to connect. -----Original Message----- From: Paul Marsh [mailto:pmarsh () nmefdn org] Sent: Friday, April 15, 2005 8:02 AM To: security-basics () securityfocus com Subject: RE: Hacked Once the system is clean, if you can ever get it to that point without flatting it. Makes sure you monitor outbound connection, don't want this thing to call home to mommy and put you right back at square one again. -----Original Message----- From: Etapien [mailto:etapien () gmail com] Sent: Friday, April 15, 2005 10:16 AM To: mfernandez () fdta-valles org Cc: security-basics () securityfocus com Subject: Re: Hacked Well, he actually installed a remote administration tool (radmin) to have control over the system whenever he wants. check those 2 batch files, he used that for installing it as a service probably, open it with a text editor (notepad) and check what the commands are, then you will see what to stop. it's probably some service he installed to make sure it keeps on running, if you can do this with the machine offline if would be the best because when it's connected to the internet those processes are eating up all of the cpu usage and bandwidth. after you have found and deleted whatever process that shouldn't be there then I would suggest you install some firewall to avoid open ports from being accessed by anyone who scans your ip and tries to break in. On 4/14/05, Mauricio Fernandez wrote:
This morning I found a wwwhack window opened on one of my w2k
servers,
antivirus agent was deleted (TrendMicro) and when I reinstall it
back,
it found about 4500 viruses named PE_PARITE.B Now the virus is still regenerating itself creating files on winnttemp folder, I saw the task list and stopped all the
suspicious
process, but the virus still goes on... The virus/hacker created a folder named RADMIN, where he copied
these
files: r_server.exe admdll.dll hide.reg raddrv.dll pro.bat start.bat Does anyone knows how to remove this virus and avoid this hack vulnerability? Mauricio Fernández S. IT Manager Tel. 591- 445-25160 Fax. 591- 441-15056 mfernandez () fdta-valles org www.fdta-valles.org Cochabamba - Bolivia
-- __________ Etapien ------------------------------------------------------------------------ --- Earn your MS in Information Security ONLINE Organizations worldwide are in need of highly qualified information security professionals. Norwich University is fulfilling this demand with its MS in Information Security offered online. Recognized by the NSA as an academically excellent program, NU offers you the opportunity to earn your degree without disrupting your home or work life. http://www.msia.norwich.edu/secfocus_en ------------------------------------------------------------------------ ---- ------------------------------------------------------------------------ --- Earn your MS in Information Security ONLINE Organizations worldwide are in need of highly qualified information security professionals. Norwich University is fulfilling this demand with its MS in Information Security offered online. Recognized by the NSA as an academically excellent program, NU offers you the opportunity to earn your degree without disrupting your home or work life. http://www.msia.norwich.edu/secfocus_en ------------------------------------------------------------------------ ---- SMS GRÁTIS do seu PC para qualquer rede nacional (TMN, Vodafone, Optimus e PTC). Basta instalar o SAPO Messenger e adicionar amigos! Vá agora a : http://messenger.sapo.pt/sms/
Current thread:
- RE: Hacked, (continued)
- RE: Hacked Mauricio Fernandez (Apr 14)
- RE: Hacked Mauricio Fernandez (Apr 14)
- RE: Hacked Mauricio Fernandez (Apr 14)
- Re: Hacked Donald Voss (Apr 14)
- RE: Hacked Paul Marsh (Apr 15)
- RE: Hacked Louie (Apr 18)
- RE: Hacked (...still cleaning) Mauricio Fernandez (Apr 19)
- Re: Hacked (...still cleaning) Thierry Zoller (Apr 20)
- Re: Hacked (...still cleaning) Matan Peled (Apr 20)
- Re: Hacked (...still cleaning) Dave Aronson (Apr 20)
- RE: Hacked (...still cleaning) Nuno Costa (Apr 20)
- Re: Hacked (...still cleaning) Ansgar -59cobalt- Wiechers (Apr 20)
- RE: Hacked Louie (Apr 18)