been hacked

Printable View

January 17th, 2005, 08:00 PM
jbclarkman

been hacked

As I was reviewing the AnitVirus logs on the server this am I found some interesting stuff happened over the weekend.

remadm-remoteadmin -- raddrv.dll
remadm-remoteadmin -- admdll.dll
remadm-remoteadmin -- nvsvc.exe

does anyone know what those belong too. We found a couple of dameware services and such enabled as well.

They pretty much turned off every service, and than turned it back on before they left.
Nice of them since they crashed exchange while they were doing whatever.

I got the guys IP and hostname and it appears its someone from paris france who had a static IP. Is there anything I can do beside contact the ISP who propabaly doesn't give a dam?????
January 17th, 2005, 08:13 PM
zencoder

http://www.mac-net.com/568489.page

Not sure 'the guy' did this to you actively. It's a worm, and this Paris, France node that attacked yours could simply have been the last poor chap to get horked by this thing.

Symantec has a bit to say as well:
http://securityresponse.symantec.com....remadmin.html

I'm sure there are many, many more references as well.

"Google...not just for geeks anymore!"

(AO note: horked is indeed a technical term. "My server is horked!" "That jerk who opened the floor panels horked my wiring!" "I was up all night working on this intrusion, too much pizza and mountain dew, and I horked all over my keyboard.")
January 17th, 2005, 08:15 PM
nihil

I think you left "door" 445 wide open :eek:

Here is some stuff on it:

http://www.mac-net.com/568489.page

W32/Deloder

The files are actually pinched from genuine remote admin software.

As for what you can do...............you had better find the dialer.exe program that it dropped...............could be any name so search on date?

I think you should inform the ISP if only so they can investigate. I am 99% certain that their customers box is "owned" so they are a victim as well.

Good luck!

EDIT: Damn this poxy PII/266................Zencoder beat me to it :D
January 17th, 2005, 08:17 PM
dinowuff

Check out this link

http://www.sophos.com/virusinfo/analyses/trojsecta.html

If you have DameWare services installed on you Network, and you didn't install them - you could potentially have a serious security breach.
January 17th, 2005, 08:21 PM
jbclarkman

on't think this was all a worm as they were on the box for about 30 minutes. Lots of services terminated unexpectedly and than turned back on when the guy left, They also signed in as the local admin.

I'm going to run a retina scan tonight to see teh security hole he used to get the local admin pass.
January 17th, 2005, 08:43 PM
zencoder

Quote:

Originally posted here by jbclarkman
on't think this was all a worm as they were on the box for about 30 minutes. Lots of services terminated unexpectedly and than turned back on when the guy left, They also signed in as the local admin.

I'm going to run a retina scan tonight to see teh security hole he used to get the local admin pass.

Good point, you're right, it sounds like you had an intruder. I don't think Deloder stops/starts services like that. Smell's like a skiddie to me. Or someone so disdainful as to feel it unnecessary to really cover his tracks. Maybe because he found port 445 wide open? Is that port necessary for your tasks to be performed? Cuz as nihil replied to my initial reply it is a door, and it is wide open.

I would notify your ISP first, and then the French ISP (depending on what YOUR isp says.) You're right they'll probably tell you to pound sand (if they don't surrender to you first... j/k. I love the French. Especially the way they bring you baguette and wine while you drive tanks down the Champs d'Elise. j/k j/k, sorry, I'm in a real mood today)
January 17th, 2005, 09:23 PM
Tiger Shark

Dloader allows a remote attacker to see the radmin and connect to it. If you do, indeed have port 445 open and swinging in the breeze what you probably saw was an attackers activity post Deloder _or_ since 445 was open he did it manually.... Either way there is a simple question that needs asking....

What on earth do you have port 445 available to anyone on the public network for????

The next issue is obvious and painful.... First, Zen... Forget the ISP's.... Waste of time whining at Wanadoo, (I sometimes think they should be called Wannabee). Now, jb... You know the routine don't you? Since you can identify a 30 minute period he was on the box you can no longer trust the box.... Back up all non-threatening data, (hhtp pages - not scripts and anything else that does not contain instructions), and format and reinstall from trusted media. Before you bring the box back online close all ports on the firewall inbound, then open _only_ those that are necessary to provide the services you need to.

As to the French... They have proved themselves time and time again to be as bad citizens of the Internet as they are the planet...... :rolleyes:
January 18th, 2005, 05:16 AM
deadman_freddy

im not sure what ur isp is or the hackers isp is since static ip addresses dont mean ****... the only thing u can do is install a firewall for which only does lil protection that ive found or u can reset ur ip addy to a new one to stop the hack attempts unless ur on dial up then ur ip changes everytime u sign online but if not then u seriously need to change ur ip addy and change it often if ur on a lan connection... i dont think backing up ur files will help since the hacker already knows ur system, whats on it, ur security flaws, open backdoors, and much more... if u want u can always start a brand new installation of windows or whatever u use to work on a computer and online... the only true thing that can help is find urself some programs called ip spoofers... they work the best and can hind ur ip addy that nothing else can... if u ever come across a program called an ip-redirector, download it right away and use it everytime ur online... ive been using it for over 2 yrs now and havent had any problems with hackers or destructive hackers ever since i found the program and been using since...