Here the site to get rid of Dameware.
From: Tim Potter [mailto:[log in to unmask]]
Sent: Tuesday, October 12, 2004 2:41 PM
To: Mccormack, Andrew
Subject: Re: [MSUNAG] windows services? hacking
I'm glad someone is asking this of the whole group; we've found pretty much
every one of our Windows servers here w/ Dameware on it in the past month
or so and it's very, very tough to get rid of. I put in a trouble ticket
to the Security team asking for help and have yet to get a response. Pls.
share any solution you get w/ the group if you would.
A buddy of mine who works for AIS said that they've had clients all around
campus getting hit by that Dameware hack. Since it's a legit program I
guess Symantec and other AV software don't view it as a trojan/ worm.
At 01:56 PM 10/12/2004, you wrote:
>I have seen over 10 systems in my department that have Netdde32, Netropa
>NHK Server, and Dameware installed as windows services. I have used
>netstat -a -o and it shows a foreign IP address using these services. I
>ran a trace on the address and it was coming from out-of-state. I know
>Dameware is a remote connection program.
>These services seem to install an icon on the taskbar, prevent the network
>card from getting an IP address from the DHCP server. I have no idea how
>the system was comprised.
>Does anyone know what these services do? Netdde32 seems to work on port
>I have renamed the administrator account, changed its password and blocked
>the ports affected. I removed or disabled the windows services. I
>removed any exe that were created during the hacking period. There are no
>events in the event log, but anyone can remove them. Does anyone
>recommend anything else? I know I should format these systems.
><mailto:[log in to unmask]>[log in to unmask]
Tim Potter <><
Information Officer & Photographer
MSU Alumni Association
108 Union Bldg.
E. Lansing, MI 48824
Toll-free: 877/ MSU-ALUM (678-2586)
Stay Connected! www.msualum.com