Incidents
Compromised Windows Server Jun 05 2006 07:27PM
Patrick Beam (patrick beam gmail com) (8 replies)
Re: Compromised Windows Server Jun 07 2006 02:19AM
Macleonard Starkey (macleonard auscert org au)
Re: Compromised Windows Server Jun 06 2006 03:20PM
Isaac Perez (suscripcions tsolucio com)
Re: Compromised Windows Server Jun 06 2006 03:09PM
Patrick Beam (patrick beam gmail com) (1 replies)
Re: Compromised Windows Server Jun 07 2006 02:10PM
Kees Leune (C J Leune uvt nl)
Re: Compromised Windows Server Jun 06 2006 11:32AM
Harlan Carvey (keydet89 yahoo com)
Re: Compromised Windows Server Jun 06 2006 08:09AM
Axel Pettinger (api worldonline de)
Re: Compromised Windows Server Jun 06 2006 02:39AM
Jason Ross (algorythm gmail com)
Re: Compromised Windows Server Jun 06 2006 02:38AM
pauls utdallas edu
Re: Compromised Windows Server Jun 06 2006 02:12AM
Jamie Riden (jamesr europe com)
On 06/06/06, Patrick Beam <patrick.beam (at) gmail (dot) com [email concealed]> wrote:
> Came in this morning to find a windows 2003 server I manage scanning the
> Internet for machines listening on tcp 139 and 445. While looking at the
> machine I noticed the following processes running.
>
> Mwvsta.exe found in c:\windows\system32
> rundll16.exe c:\windows\system23
> Ponoas.exe c:\windows\system32
>
> I believe that the ponoas.exe is some sort of rootkit although searching on
> google for this file name returns nothing. Also searching
> mwvsta.exereturns nothing. At this point I have removed these files
> from the system and registry but am weary that the server will get hit again.

To be sure, you need to re-install from known-good media.

> Has anyone had an experience with the following file or have any idea what rookkit of
> virus they are associated with?

Some viruses use random filenames. If you've deleted them then there's
no way to tell for sure what they were - if you do have them, send the
files to http://www.virustotal.com/ for a diagnosis - though I would
still re-install the box.

cheers,
Jamie
--
Jamie Riden / jamesr (at) europe (dot) com [email concealed] / jamie.riden (at) computer (dot) org [email concealed]
NZ Honeynet project - http://www.nz-honeynet.org/

------------------------------------------------------------------------
------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29. August 3 in Las Vegas.
World renowned security experts reveal tomorrow.s threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of your
security environment. Featuring 36 hands-on training courses and 10 conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.

http://www.blackhat.com
------------------------------------------------------------------------
------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus