Home page logo

basics logo Security Basics mailing list archives

Re: Hacked again???
From: Mark Bassett <zosxavius () gmail com>
Date: Mon, 18 Jul 2005 16:22:45 -0400

Mauricio Fernandez wrote:


I am not sure, but I think that I was hacked again.

I have a w2k SP4 full patched box with KerioFirewall, and this morning I
found three running process on it:


Definately looks compromised to me. Winproc isn't even a windows
executable, and I certainly suspect that I won't find Rpcservice in my
window's path anywhere.

The best way to figure out what is going on is to first calm down. The
next step is to search the box for those executables and figure out
where they got installed.
I already know that Winproc doesn't exist anywhere on my Windows
installation (also Windows 2000 SP4 here) so if you find it, say, in
$root$\WINNT\System32, it shouldn't be there! Since you are running
Kerio, do you run it in application security mode? It should at least
catch malware trying to install via a corrupted installer. Be careful
with Kerio as if it is in no popup mode it will let an awful lot of
things get by without attracting your attention. The only thing you can
really do at this point is figure out possibly how such files got
installed, and in all likelyhood you probably installed them yourself by
accident and were not hacked per se from the outside. Get good AV
software (I prefer Norton 2k3, but I guess that is me), as well as a
copy of Trojan Hunter and see what they come up with. In any case your
box looks nice and compromised and I wouldn't trust it anymore until you
purge the hard drive of the foul beasts with a good formatting or two,
or three or four in your case. ;)

Good luck.

Mark Bassett

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]