Security Incidents mailing list archives

Re: Compromised Windows Server

From: df () odette es
Date: 8 Jun 2006 18:48:08 -0000

Hi all,

I have had the same problem with the :

Mwvsta.exe found in c:\windows\system32

and

Ponoas.exe c:\windows\system32

although

rundll16.exe c:\windows\system23 was not present in my PC, obviously rundll32.exe is there anyway (it may serve the
same purpose, probably).

I observed the Mwvsta.exe running through my "task manager" and it was constantly acting, even after a new reboot it
was launched again. I spotted the file name in the registry in :

HKCU/Software/Microsoft/Windows/CurrentVersion/Run

Which is obviously launched at boot time.

I succeded to kill it by blocking the access of Mwvsta.exe with a firewall tool (in fact: McAffee) and then deleting
the registry key and rebooting afterwards.

After I erased that key from the registry the previous constant outgoing FTP flow, through port 139 (as you mentioned),
to lots of different IPs was finished (in my opinion it may be a "spamming" program or something similar). Before that,
I also received a constant flow of information and that is all I observed before starting my attack against it.

As additional information I attach this proof of evidence which I have obtained after deleting that Mwvsta.exe.

It seems it is still trying to continue with its activitu althoug it cannot enter now.

Firewall Log Table (copied form my Linksys router)... just a small part of it, it was going mad constantly...

NO. Time Packet Information Reason Action
001 Jun 0806 21:01:23 From:205.177.79.126:1901 To: my IP TCP default permit <2,00> block
003 Jun 0806 21:01:26 From:205.177.79.126:1901 To: my IP TCP default permit <2,00> block
005 Jun 0806 21:01:28 From:81.177.37.67:51502 To: my IP TCP default permit <2,00> block
007 Jun 0806 21:01:32 From:205.177.79.126:1901 To: my IP TCP default permit <2,00> block
008 Jun 0806 21:01:37 From:81.177.37.68:49969 To: my IP TCP default permit <2,00> block
009 Jun 0806 21:01:41 From:67.159.22.107:4878 To: my IP TCP default permit <2,00> block
010 Jun 0806 21:01:46 From:81.177.37.68:49969 To: my IP TCP default permit <2,00> block
011 Jun 0806 21:01:48 From:81.177.37.67:53683 To: my IP TCP default permit <2,00> block
012 Jun 0806 21:01:50 From:67.159.22.107:4878 To: my IP TCP default permit <2,00> block
013 Jun 0806 21:01:51 From:81.177.37.67:53683 To: my IP TCP default permit <2,00> block
014 Jun 0806 21:01:51 From:66.185.126.84:4115 To: my IP TCP default permit <2,00> block

...end of my story...

...hope it helps finding that PHANTOM ATTACK.

If I get it again I will be more cautious and study it carefully before deleting it.

Kind regards to all for your hints.

David

------------------------------------------------------------------------------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29. August 3 in Las Vegas.
World renowned security experts reveal tomorrow.s threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of your
security environment. Featuring 36 hands-on training courses and 10 conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.

http://www.blackhat.com
------------------------------------------------------------------------------

Current thread:

Re: Compromised Windows Server, (continued)
- Re: Compromised Windows Server Axel Pettinger (Jun 06)
- Re: Compromised Windows Server Harlan Carvey (Jun 06)
- Re: Compromised Windows Server Patrick Beam (Jun 06)
  - Re: Compromised Windows Server Kees Leune (Jun 07)
- Re: Compromised Windows Server Isaac Perez (Jun 06)
- Re: Compromised Windows Server Macleonard Starkey (Jun 06)
- Re: Re: Compromised Windows Server wnorth (Jun 05)
- Re: Compromised Windows Server Butterworth, Jim (Jun 06)
- Re: Compromised Windows Server ross (Jun 06)
- RE: Compromised Windows Server Alan Davies (Jun 08)
- Re: Compromised Windows Server df (Jun 08)