been hacked
Results 1 to 8 of 8

Thread: been hacked

  1. #1
    Senior Member
    Join Date
    Jan 2004
    Posts
    172

    Exclamation been hacked

    As I was reviewing the AnitVirus logs on the server this am I found some interesting stuff happened over the weekend.


    remadm-remoteadmin -- raddrv.dll
    remadm-remoteadmin -- admdll.dll
    remadm-remoteadmin -- nvsvc.exe

    does anyone know what those belong too. We found a couple of dameware services and such enabled as well.

    They pretty much turned off every service, and than turned it back on before they left.
    Nice of them since they crashed exchange while they were doing whatever.

    I got the guys IP and hostname and it appears its someone from paris france who had a static IP. Is there anything I can do beside contact the ISP who propabaly doesn't give a dam?????

  2. #2
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    http://www.mac-net.com/568489.page

    Not sure 'the guy' did this to you actively. It's a worm, and this Paris, France node that attacked yours could simply have been the last poor chap to get horked by this thing.

    Symantec has a bit to say as well:
    http://securityresponse.symantec.com....remadmin.html

    I'm sure there are many, many more references as well.

    "Google...not just for geeks anymore!"

    (AO note: horked is indeed a technical term. "My server is horked!" "That jerk who opened the floor panels horked my wiring!" "I was up all night working on this intrusion, too much pizza and mountain dew, and I horked all over my keyboard.")
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    I think you left "door" 445 wide open

    Here is some stuff on it:

    http://www.mac-net.com/568489.page



    W32/Deloder

    The files are actually pinched from genuine remote admin software.

    As for what you can do...............you had better find the dialer.exe program that it dropped...............could be any name so search on date?

    I think you should inform the ISP if only so they can investigate. I am 99% certain that their customers box is "owned" so they are a victim as well.

    Good luck!

    EDIT: Damn this poxy PII/266................Zencoder beat me to it

  4. #4
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,252
    Check out this link

    http://www.sophos.com/virusinfo/analyses/trojsecta.html

    If you have DameWare services installed on you Network, and you didn't install them - you could potentially have a serious security breach.

  5. #5
    Senior Member
    Join Date
    Jan 2004
    Posts
    172
    on't think this was all a worm as they were on the box for about 30 minutes. Lots of services terminated unexpectedly and than turned back on when the guy left, They also signed in as the local admin.

    I'm going to run a retina scan tonight to see teh security hole he used to get the local admin pass.

  6. #6
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Originally posted here by jbclarkman
    on't think this was all a worm as they were on the box for about 30 minutes. Lots of services terminated unexpectedly and than turned back on when the guy left, They also signed in as the local admin.

    I'm going to run a retina scan tonight to see teh security hole he used to get the local admin pass.

    Good point, you're right, it sounds like you had an intruder. I don't think Deloder stops/starts services like that. Smell's like a skiddie to me. Or someone so disdainful as to feel it unnecessary to really cover his tracks. Maybe because he found port 445 wide open? Is that port necessary for your tasks to be performed? Cuz as nihil replied to my initial reply it is a door, and it is wide open.

    I would notify your ISP first, and then the French ISP (depending on what YOUR isp says.) You're right they'll probably tell you to pound sand (if they don't surrender to you first... j/k. I love the French. Especially the way they bring you baguette and wine while you drive tanks down the Champs d'Elise. j/k j/k, sorry, I'm in a real mood today)
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Dloader allows a remote attacker to see the radmin and connect to it. If you do, indeed have port 445 open and swinging in the breeze what you probably saw was an attackers activity post Deloder _or_ since 445 was open he did it manually.... Either way there is a simple question that needs asking....

    What on earth do you have port 445 available to anyone on the public network for????

    The next issue is obvious and painful.... First, Zen... Forget the ISP's.... Waste of time whining at Wanadoo, (I sometimes think they should be called Wannabee). Now, jb... You know the routine don't you? Since you can identify a 30 minute period he was on the box you can no longer trust the box.... Back up all non-threatening data, (hhtp pages - not scripts and anything else that does not contain instructions), and format and reinstall from trusted media. Before you bring the box back online close all ports on the firewall inbound, then open _only_ those that are necessary to provide the services you need to.

    As to the French... They have proved themselves time and time again to be as bad citizens of the Internet as they are the planet......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #8
    Junior Member
    Join Date
    Jan 2005
    Posts
    7
    im not sure what ur isp is or the hackers isp is since static ip addresses dont mean ****... the only thing u can do is install a firewall for which only does lil protection that ive found or u can reset ur ip addy to a new one to stop the hack attempts unless ur on dial up then ur ip changes everytime u sign online but if not then u seriously need to change ur ip addy and change it often if ur on a lan connection... i dont think backing up ur files will help since the hacker already knows ur system, whats on it, ur security flaws, open backdoors, and much more... if u want u can always start a brand new installation of windows or whatever u use to work on a computer and online... the only true thing that can help is find urself some programs called ip spoofers... they work the best and can hind ur ip addy that nothing else can... if u ever come across a program called an ip-redirector, download it right away and use it everytime ur online... ive been using it for over 2 yrs now and havent had any problems with hackers or destructive hackers ever since i found the program and been using since...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •