Re: I've been hacked
From: Dave (noone_at_nowhere.com)
Date: 05/26/04
- Next message: George Hester: "Re: privacy report"
- Previous message: Mark Wilson [MSFT]: "Re: Disk failed; new install requests Service Pack 2? I don't have it"
- In reply to: Marcus Smaby: "I've been hacked"
- Next in thread: Andrew Morton: "Re: I've been hacked"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 26 May 2004 21:16:17 -0000
obviously you haven't recovered adequately or have not secured the original
hole that lets them in. netstats.exe is an obvious attempt to confuse with
the real netstat.exe. as is system.exe which is not a standard windows file
either. most likely there is another one that you haven't found that is
copying both of them from somewhere else, or there is another hole that is
letting someone outside get them into your system. system.exe is a known
virus/trojan filename, not to say that yours is, but it is a name used by
backdoor.ciadoor, w32.chili, backdoor.dani, and quite a few others.
netstats.exe may be a valid tool, but you should know if you installed one
of them i would hope... so likely it is a recent name change for some older
virus or trojan.
i would make sure that your norton is really running, there are some recent
infections that kill the actual virus scan processes, so you may think they
are running but actually aren't. try an on-line scan or boot to safe mode
and try a manual scan and make sure it is really running. you may also want
to try some of the adware and spyware scanners, adaware and spybot s&d are
my favorites... things that virus scanners ignore but these scanners find
can cause just as much trouble as viruses. i just had to clean several ie
tool bar hijackers and spyware programs off one workstation today... though
he had been having slow response and intermittant trouble for days he
finally couldn't do anything in word, and ie was doing strange things... 68
hits in adaware convinced him he had to watch his surfing closer.
"Marcus Smaby" <mrsmaby@@@msn.com> wrote in message
news:uKujEz1QEHA.964@TK2MSFTNGP10.phx.gbl...
> I am having a continuing problem that I can't seem to get a handle on.
> Recently, someone hacked into one of our servers. Now, one or twice a day
I
> see either the file system.exe or netstats.exe appearing in the system32
> folder and in the tasks list. At this point the network is brought to its
> knees and it can take me 15 minutes to log into the affected server. I
have
> checked for references to these two files and I get a hit on system.exe as
a
> Trojan, but the only hits I get on netstats.exe is as a utility. I have
> firewalls. I am at current patch levels on everything. I have Norton
> Corporate AV running on all systems but still this continues. I cannot
kill
> these processes as they come back 'access denied'. My only recourse has
been
> to rename these files from a CMD prompt, clean out any references from the
> registry and reboot. But within the hour, they are back!
>
> 1. Is there anyway to force a process to die? If I am domain admin, why
> would I be denied access?
>
> 2. Is there any utility that would lock out a given program from starting?
>
> 3. How can I determine where this is coming from?
>
> Thanks in Advance.
>
> Marcus
>
>
- Next message: George Hester: "Re: privacy report"
- Previous message: Mark Wilson [MSFT]: "Re: Disk failed; new install requests Service Pack 2? I don't have it"
- In reply to: Marcus Smaby: "I've been hacked"
- Next in thread: Andrew Morton: "Re: I've been hacked"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
