I have seen over 10 systems in my
department that have Netdde32, Netropa NHK Server, and Dameware installed as
windows services. I have used netstat –a –o and it shows a foreign
IP address using these services. I ran a trace on the address and it was
coming from out-of-state. I know Dameware is a remote connection program.
These services seem to install an icon on
the taskbar, prevent the network card from getting an IP address from the DHCP
server. I have no idea how the system was comprised.
Does anyone know what these services do? Netdde32
seems to work on port 2255.
I have renamed the administrator account,
changed its password and blocked the ports affected. I removed or disabled the
windows services. I removed any exe that were created during the hacking
period. There are no events in the event log, but anyone can remove them. Does
anyone recommend anything else? I know I should format these systems.
Thanks
Andrew McCormack