Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Hacked (...still cleaning)

from [Kirk Brady] Network Security [Permanent Link]
Subject: RE: Hacked (...still cleaning)
Date: Wed, 20 Apr 2005 08:55:18 +1000 
if this is windows 2000 or windows xp, turn off windows file protection, and 
then once the file is deleted, it should STAY deleted

-----Original Message-----
From: Mauricio Fernandez [mailto:mfernandez@fdta-valles.org]
Sent: Tuesday, 19 April 2005 6:34 AM
To: security-basics@securityfocus.com
Subject: RE: Hacked (...still cleaning)


One thing I am trying to do is to hide the cmd.exe file to avoid the
possibility of running some programs. I searched the file on the hole
system and deleted from \system32\ and \I386\ folders, copied into a
folder no included on the system path with a different name. But if I
invoke cmd.exe, it appears again on \system32\

Does anyone knows how to remove it?


Mauricio Fernández S.
IT Manager
Tel. 591- 445-25160
Fax. 591- 441-15056
mfernandez@fdta-valles.org
www.fdta-valles.org
Cochabamba - Bolivia

-----Original Message-----
From: Louie [mailto:tech.louie@verizon.net] 
Sent: Sunday, April 17, 2005 1:38 PM
To: 'Paul Marsh'; security-basics@securityfocus.com
Subject: RE: Hacked

Other thing also do you have a router or some kind of switch? If you
have a router you should be albe to see from your logs which ip address
is hitting those port he is trying to connect.

-----Original Message-----
From: Paul Marsh [mailto:pmarsh@nmefdn.org] 
Sent: Friday, April 15, 2005 8:02 AM
To: security-basics@securityfocus.com
Subject: RE: Hacked


Once the system is clean, if you can ever get it to that point without
flatting it.  Makes sure you monitor outbound connection, don't want
this thing to call home to mommy and put you right back at square one
again. 

-----Original Message-----
From: Etapien [mailto:etapien@gmail.com] 
Sent: Friday, April 15, 2005 10:16 AM
To: mfernandez@fdta-valles.org
Cc: security-basics@securityfocus.com
Subject: Re: Hacked

Well,  he actually installed a remote administration tool (radmin) to
have control over the system whenever he wants. check those 2 batch
files, he used that for installing it as a service probably, open it
with a text editor (notepad) and check what the commands are, then you
will see what to stop. it's probably some service he installed to make
sure it keeps on running, if you can do this with the machine offline if
would be the best because when it's connected to the internet those
processes are eating up all of the cpu usage and bandwidth. after you
have found and deleted whatever process that shouldn't be there then I
would suggest you install some firewall to avoid open ports from being
accessed by anyone who scans your ip and tries to break in.


On 4/14/05, Mauricio Fernandez <mfernandez@fdta-valles.org> wrote:

This morning I found a wwwhack window opened on one of my w2k servers,
antivirus agent was deleted (TrendMicro) and when I reinstall it back,



it found about 4500 viruses named PE_PARITE.B

Now the virus is still regenerating itself creating files on
winnt\temp folder, I saw the task list and stopped all the suspicious 
process, but the virus still goes on...

The virus/hacker created a folder named RADMIN, where he copied these
files:
r_server.exe
admdll.dll
hide.reg
raddrv.dll
pro.bat
start.bat

Does anyone knows how to remove this virus and avoid this hack
vulnerability?

Mauricio Fernández S.
IT Manager
Tel. 591- 445-25160
Fax. 591- 441-15056
mfernandez@fdta-valles.org
www.fdta-valles.org
Cochabamba - Bolivia






--

__________
Etapien

------------------------------------------------------------------------
---

Earn your MS in Information Security ONLINE Organizations worldwide are
in need of highly qualified information security professionals.  Norwich
University is fulfilling this demand with its MS in Information Security
offered online.  Recognized by the NSA as an academically excellent
program, NU offers you the opportunity to earn your degree without
disrupting your home or work life.

http://www.msia.norwich.edu/secfocus_en
------------------------------------------------------------------------
----


------------------------------------------------------------------------
---
Earn your MS in Information Security ONLINE
Organizations worldwide are in need of highly qualified information
security 
professionals.  Norwich University is fulfilling this demand with its MS
in 
Information Security offered online.  Recognized by the NSA as an 
academically excellent program, NU offers you the opportunity to earn
your 
degree without disrupting your home or work life.

http://www.msia.norwich.edu/secfocus_en
------------------------------------------------------------------------
----
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Steps to avoid Social Engineering, P. Rodriguez
Next by Date:  RE: Steps to avoid Social Engineering, Yashodhan Deshpande
Previous by Thread:  RE: Hacked (...still cleaning), Beauford, Jason
Next by Thread:  RE: Hacked (...still cleaning), Jonathan Loh
Indexes:  [Date] [Thread] [Top] [All Lists]