Ah - and I also forgot I found another process they were using to remote-control the desktop on the machine: RASLAVE.EXE which is part of a commercial product: http://www.remote-anything.com/ So you can look for that process too... The annoying (and dangerous) thing about cleaning up a hack (where, say you can't wipe the system immediately), is finding any back-doors they left into the system :-\ Rob > -----Original Message----- > From: MSU Network Administrators Group > [mailto:[log in to unmask]] On Behalf Of Wendy Tate > Sent: Wednesday, January 22, 2003 10:46 AM > To: [log in to unmask] > Subject: Re: Recent hacking activity on campus > > > Deb; > > You might also want to check the services on that computer > for dameware.exe and related files. Often our hacked systems > have firedaemon and dameware both loaded. > > What fun! > Wendy > > Wendy Tate > Network Coordinator - Department of Economics > Michigan State University > 101 Marshall Hall > East Lansing, MI 48824 > [log in to unmask] 517.355.1816 > > -----Original Message----- > From: MSU Network Administrators Group > [mailto:[log in to unmask]] On Behalf Of Deb McKenna > Sent: Wednesday, January 22, 2003 10:20 AM > To: [log in to unmask] > Subject: Re: Recent hacking activity on campus > > Wow.... > > That describes the activity that lead me to look for the > virus... curious. And yes, found the backdoor.NTHack via a > process it creates, "firedaemon.exe". > > > Thanks much!! > > Deb > > Deb McKenna > Computer Systems Analyst > Student Athlete Support Services > Michigan State University > 239 Smith Center > 353-9161/office > 432-0060/FAX > > [log in to unmask] > > -----Original Message----- > From: MSU Network Administrators Group > [mailto:[log in to unmask]]On Behalf Of Rob Neary > Sent: Wednesday, January 22, 2003 10:15 AM > To: [log in to unmask] > Subject: Re: Recent hacking activity on campus > > > I'm not sure which worm/virus this is, but I'd like to share > an interesting back-door-type attack we had on some of our > systems a couple weeks ago... > > For anyone who runs Microsoft SQL server, you are probably > familiar with the fact that the "root" account (called SA), > is installed under v7.0 and possibly 2K (don't remember) with > no password. This poor choice on Microsoft's part also > trickles down to their desktop product - MSDE (Microsoft > Database Engine) - which I'm finding a lot of packages now > come with as their desktop database solution. There are > script-worms that are designed to exploit this, and what we > saw was a typical FTP Dump site setup on two machines. > > If you install anything that uses MSDE, you might want to > take a look at this article to change the SA password: "HOW > TO: Verify and Change the System Administrator Password by > Using MSDE" > http://support.microsoft.com/default.aspx?scid=kb;en-us;322336 Safe computing :) Rob Neary Senior Computer Systems Specialist Medical School Information Systems email: [log in to unmask] > -----Original Message----- > From: MSU Network Administrators Group [mailto:[log in to unmask]] On > Behalf Of Deb McKenna > Sent: Wednesday, January 22, 2003 9:50 AM > To: [log in to unmask] > Subject: Recent hacking activity on campus > > > Good morning, > > Hopefully this is the proper place to post this. Has anyone else > recently (as in the past week) gotten attacked via the > backdoor.NTHack virus? (Win2k Server). One of my students mentioned > that another department may have gotten this. > > If you have *any* experience with this, I would welcome any and all > suggestions. > > Thanks much, > > Deb > > Deb McKenna > Computer Systems Analyst > Student Athlete Support Services > Michigan State University > 239 Smith Center > 353-9161/office > 432-0060/FAX > > [log in to unmask] >