 |
 |
Here the site to get rid of Dameware. http://www.connect.more.net/lists/technic/2004.02/0282.html -----Original Message----- From: Tim Potter [mailto:[log in to unmask]] Sent: Tuesday, October 12, 2004 2:41 PM To: Mccormack, Andrew Subject: Re: [MSUNAG] windows services? hacking I'm glad someone is asking this of the whole group; we've found pretty much every one of our Windows servers here w/ Dameware on it in the past month or so and it's very, very tough to get rid of. I put in a trouble ticket to the Security team asking for help and have yet to get a response. Pls. share any solution you get w/ the group if you would. A buddy of mine who works for AIS said that they've had clients all around campus getting hit by that Dameware hack. Since it's a legit program I guess Symantec and other AV software don't view it as a trojan/ worm. Thanks again, Tim At 01:56 PM 10/12/2004, you wrote: >I have seen over 10 systems in my department that have Netdde32, Netropa >NHK Server, and Dameware installed as windows services. I have used >netstat -a -o and it shows a foreign IP address using these services. I >ran a trace on the address and it was coming from out-of-state. I know >Dameware is a remote connection program. > >These services seem to install an icon on the taskbar, prevent the network >card from getting an IP address from the DHCP server. I have no idea how >the system was comprised. > >Does anyone know what these services do? Netdde32 seems to work on port >2255. > >I have renamed the administrator account, changed its password and blocked >the ports affected. I removed or disabled the windows services. I >removed any exe that were created during the hacking period. There are no >events in the event log, but anyone can remove them. Does anyone >recommend anything else? I know I should format these systems. > >Thanks >Andrew McCormack ><mailto:[log in to unmask]>[log in to unmask] > > ********************** Tim Potter <>< Information Officer & Photographer MSU Alumni Association 108 Union Bldg. E. Lansing, MI 48824 Toll-free: 877/ MSU-ALUM (678-2586) Ph: 517/432-1160 Fax: 517/432-7769 Stay Connected! www.msualum.com