Ah - and I also forgot I found another process they were using to
remote-control the desktop on the machine: RASLAVE.EXE which is part of
a commercial product:
http://www.remote-anything.com/
So you can look for that process too... The annoying (and dangerous)
thing about cleaning up a hack (where, say you can't wipe the system
immediately), is finding any back-doors they left into the system :-\
Rob
> -----Original Message-----
> From: MSU Network Administrators Group
> [mailto:[log in to unmask]] On Behalf Of Wendy Tate
> Sent: Wednesday, January 22, 2003 10:46 AM
> To: [log in to unmask]
> Subject: Re: Recent hacking activity on campus
>
>
> Deb;
>
> You might also want to check the services on that computer
> for dameware.exe and related files. Often our hacked systems
> have firedaemon and dameware both loaded.
>
> What fun!
> Wendy
>
> Wendy Tate
> Network Coordinator - Department of Economics
> Michigan State University
> 101 Marshall Hall
> East Lansing, MI 48824
> [log in to unmask] 517.355.1816
>
> -----Original Message-----
> From: MSU Network Administrators Group
> [mailto:[log in to unmask]] On Behalf Of Deb McKenna
> Sent: Wednesday, January 22, 2003 10:20 AM
> To: [log in to unmask]
> Subject: Re: Recent hacking activity on campus
>
> Wow....
>
> That describes the activity that lead me to look for the
> virus... curious. And yes, found the backdoor.NTHack via a
> process it creates, "firedaemon.exe".
>
>
> Thanks much!!
>
> Deb
>
> Deb McKenna
> Computer Systems Analyst
> Student Athlete Support Services
> Michigan State University
> 239 Smith Center
> 353-9161/office
> 432-0060/FAX
>
> [log in to unmask]
>
> -----Original Message-----
> From: MSU Network Administrators Group
> [mailto:[log in to unmask]]On Behalf Of Rob Neary
> Sent: Wednesday, January 22, 2003 10:15 AM
> To: [log in to unmask]
> Subject: Re: Recent hacking activity on campus
>
>
> I'm not sure which worm/virus this is, but I'd like to share
> an interesting back-door-type attack we had on some of our
> systems a couple weeks ago...
>
> For anyone who runs Microsoft SQL server, you are probably
> familiar with the fact that the "root" account (called SA),
> is installed under v7.0 and possibly 2K (don't remember) with
> no password. This poor choice on Microsoft's part also
> trickles down to their desktop product - MSDE (Microsoft
> Database Engine) - which I'm finding a lot of packages now
> come with as their desktop database solution. There are
> script-worms that are designed to exploit this, and what we
> saw was a typical FTP Dump site setup on two machines.
>
> If you install anything that uses MSDE, you might want to
> take a look at this article to change the SA password: "HOW
> TO: Verify and Change the System Administrator Password by
> Using MSDE"
> http://support.microsoft.com/default.aspx?scid=kb;en-us;322336
Safe computing :)
Rob Neary
Senior Computer Systems Specialist
Medical School Information Systems
email: [log in to unmask]
> -----Original Message-----
> From: MSU Network Administrators Group [mailto:[log in to unmask]] On
> Behalf Of Deb McKenna
> Sent: Wednesday, January 22, 2003 9:50 AM
> To: [log in to unmask]
> Subject: Recent hacking activity on campus
>
>
> Good morning,
>
> Hopefully this is the proper place to post this. Has anyone else
> recently (as in the past week) gotten attacked via the
> backdoor.NTHack virus? (Win2k Server). One of my students mentioned
> that another department may have gotten this.
>
> If you have *any* experience with this, I would welcome any and all
> suggestions.
>
> Thanks much,
>
> Deb
>
> Deb McKenna
> Computer Systems Analyst
> Student Athlete Support Services
> Michigan State University
> 239 Smith Center
> 353-9161/office
> 432-0060/FAX
>
> [log in to unmask]
>
