Security Basics mailing list archives
RE: Hacked (...still cleaning)
From: "Kirk Brady" <Kirk.Brady () TeachersHealth com au>
Date: Fri, 22 Apr 2005 10:21:10 +1000
deleted meaning it wont re-appear by windows file protection restoring it of course if you WANT to recover it manually, then of course this doesnt cut it -----Original Message----- From: Jonathan Loh [mailto:kj6loh () yahoo com] Sent: Thursday, 21 April 2005 6:59 PM To: Kirk Brady; security-basics () securityfocus com Subject: RE: Hacked (...still cleaning) Really? Last time I checked only the first couple bytes of the name were overwritten. Very easy to retrieve. Windows may even have a file recovery tool. If you want good protection you really need to wipe (some call it secure erase) the file. If you want to recover from this it can be expensive and iffy at best. This document is a bit dated but it still applies. <a href="http://www.usenix.org/publications/library/proceedings/sec96/full_papers/gutmann/">Article</a> --- Kirk Brady <Kirk.Brady () TeachersHealth com au> wrote:
if this is windows 2000 or windows xp, turn off windows file protection, and then once the file is deleted, it should STAY deleted -----Original Message----- From: Mauricio Fernandez [mailto:mfernandez () fdta-valles org] Sent: Tuesday, 19 April 2005 6:34 AM To: security-basics () securityfocus com Subject: RE: Hacked (...still cleaning) One thing I am trying to do is to hide the cmd.exe file to avoid the possibility of running some programs. I searched the file on the hole system and deleted from \system32\ and \I386\ folders, copied into a folder no included on the system path with a different name. But if I invoke cmd.exe, it appears again on \system32\ Does anyone knows how to remove it? Mauricio Fernández S. IT Manager Tel. 591- 445-25160 Fax. 591- 441-15056 mfernandez () fdta-valles org www.fdta-valles.org Cochabamba - Bolivia -----Original Message----- From: Louie [mailto:tech.louie () verizon net] Sent: Sunday, April 17, 2005 1:38 PM To: 'Paul Marsh'; security-basics () securityfocus com Subject: RE: Hacked Other thing also do you have a router or some kind of switch? If you have a router you should be albe to see from your logs which ip address is hitting those port he is trying to connect. -----Original Message----- From: Paul Marsh [mailto:pmarsh () nmefdn org] Sent: Friday, April 15, 2005 8:02 AM To: security-basics () securityfocus com Subject: RE: Hacked Once the system is clean, if you can ever get it to that point without flatting it. Makes sure you monitor outbound connection, don't want this thing to call home to mommy and put you right back at square one again. -----Original Message----- From: Etapien [mailto:etapien () gmail com] Sent: Friday, April 15, 2005 10:16 AM To: mfernandez () fdta-valles org Cc: security-basics () securityfocus com Subject: Re: Hacked Well, he actually installed a remote administration tool (radmin) to have control over the system whenever he wants. check those 2 batch files, he used that for installing it as a service probably, open it with a text editor (notepad) and check what the commands are, then you will see what to stop. it's probably some service he installed to make sure it keeps on running, if you can do this with the machine offline if would be the best because when it's connected to the internet those processes are eating up all of the cpu usage and bandwidth. after you have found and deleted whatever process that shouldn't be there then I would suggest you install some firewall to avoid open ports from being accessed by anyone who scans your ip and tries to break in. On 4/14/05, Mauricio Fernandez <mfernandez () fdta-valles org> wrote:This morning I found a wwwhack window opened on one of my w2k servers, antivirus agent was deleted (TrendMicro) and when I reinstall it back,it found about 4500 viruses named PE_PARITE.B Now the virus is still regenerating itself creating files on winnt\temp folder, I saw the task list and stopped all the suspicious process, but the virus still goes on... The virus/hacker created a folder named RADMIN, where he copied these files: r_server.exe admdll.dll hide.reg raddrv.dll pro.bat start.bat Does anyone knows how to remove this virus and avoid this hack vulnerability? Mauricio Fernández S. IT Manager Tel. 591- 445-25160 Fax. 591- 441-15056 mfernandez () fdta-valles org www.fdta-valles.org Cochabamba - Bolivia-- __________ Etapien ------------------------------------------------------------------------ --- Earn your MS in Information Security ONLINE Organizations worldwide are in need of highly qualified information security professionals. Norwich University is fulfilling this demand with its MS in Information Security offered online. Recognized by the NSA as an academically excellent program, NU offers you the opportunity to earn your degree without disrupting your home or work life. http://www.msia.norwich.edu/secfocus_en ------------------------------------------------------------------------ ---- ------------------------------------------------------------------------ --- Earn your MS in Information Security ONLINE Organizations worldwide are in need of highly qualified information security professionals. Norwich University is fulfilling this demand with its MS in Information Security offered online. Recognized by the NSA as an academically excellent program, NU offers you the opportunity to earn your degree without disrupting your home or work life. http://www.msia.norwich.edu/secfocus_en ------------------------------------------------------------------------ ----
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Current thread:
- RE: Hacked (...still cleaning) Horn Michael (Apr 20)
- <Possible follow-ups>
- RE: Hacked (...still cleaning) Beauford, Jason (Apr 20)
- RE: Hacked (...still cleaning) Serge Jorgensen (Apr 20)
- RE: Hacked (...still cleaning) Kirk Brady (Apr 20)
- RE: Hacked (...still cleaning) Jonathan Loh (Apr 21)
- RE: Hacked (...still cleaning) Kirk Brady (Apr 22)
- Password Audits Jair (Apr 25)
- Re: Password Audits Jeff Ferris (Apr 26)
- Re: Password Audits Mani.682001 () gmail com (Apr 26)
- Re: Password Audits Adam Jones (Apr 26)
- RE: Password Audits . (Apr 26)
- RE: Password Audits Donald N Kenepp (Apr 27)
- Password Audits Jair (Apr 25)
- Re: Password Audits tmanster (Apr 26)