RE: Hacked

["Mauricio Fernandez" <mfernandez () fdta-valles org>]

The box is used only like a VoIP Server and for a Telephone control
software, not a big deal, but anyway I should know how they put it on the
machine...



Mauricio Fernández S.
IT Manager
Tel. 591- 445-25160
Fax. 591- 441-15056
mfernandez () fdta-valles org
www.fdta-valles.org
Cochabamba - Bolivia

-----Original Message-----
From: charles () charlesyoo com [mailto:charles () charlesyoo com] 
Sent: Thursday, April 14, 2005 6:47 AM
To: mfernandez () fdta-valles org
Subject: Re: Hacked


just curious, what "security measures" were implicated on the system? 
sounds pretty serious, might be better to take offline and do an audit
of the whole system/logs.

On 4/14/2005, "Mauricio Fernandez" <mfernandez () fdta-valles org> wrote:

> This morning I found a wwwhack window opened on one of my w2k servers,
> antivirus agent was deleted (TrendMicro) and when I reinstall it back, it
> found about 4500 viruses named PE_PARITE.B
>
> Now the virus is still regenerating itself creating files on winnt\temp
> folder, I saw the task list and stopped all the suspicious process, but
> the virus still goes on...
>
> The virus/hacker created a folder named RADMIN, where he copied these
> files:
> r_server.exe
> admdll.dll
> hide.reg
> raddrv.dll
> pro.bat
> start.bat
>
> Does anyone knows how to remove this virus and avoid this hack
> vulnerability?
>
>
> Mauricio Fernández S.
> IT Manager
> Tel. 591- 445-25160
> Fax. 591- 441-15056
> mfernandez () fdta-valles org
> www.fdta-valles.org
> Cochabamba - Bolivia

Attachment: smime.p7s
Description: