Incidents
Compromised Windows Server Jun 05 2006 07:27PM
Patrick Beam (patrick beam gmail com) (8 replies)
Re: Compromised Windows Server Jun 07 2006 02:19AM
Macleonard Starkey (macleonard auscert org au)
Re: Compromised Windows Server Jun 06 2006 03:20PM
Isaac Perez (suscripcions tsolucio com)
Re: Compromised Windows Server Jun 06 2006 03:09PM
Patrick Beam (patrick beam gmail com) (1 replies)
Re: Compromised Windows Server Jun 07 2006 02:10PM
Kees Leune (C J Leune uvt nl)
Re: Compromised Windows Server Jun 06 2006 11:32AM
Harlan Carvey (keydet89 yahoo com)
Re: Compromised Windows Server Jun 06 2006 08:09AM
Axel Pettinger (api worldonline de)
Re: Compromised Windows Server Jun 06 2006 02:39AM
Jason Ross (algorythm gmail com)
Re: Compromised Windows Server Jun 06 2006 02:38AM
pauls utdallas edu
--On June 5, 2006 2:27:32 PM -0500 Patrick Beam <patrick.beam (at) gmail (dot) com [email concealed]>
wrote:

> Came in this morning to find a windows 2003 server I manage scanning the
> Internet for machines listening on tcp 139 and 445. While looking at the
> machine I noticed the following processes running.
>
> Mwvsta.exe found in c:\windows\system32
>
> rundll16.exe c:\windows\system23
>
> Ponoas.exe c:\windows\system32
>
> I believe that the ponoas.exe is some sort of rootkit although searching
> on
> google for this file name returns nothing. Also searching
> mwvsta.exereturns nothing. At this point I have removed these files
> from the system
> and registry but am weary that the server will get hit again. Has anyone
> had an experience with the following file or have any idea what rookkit of
> virus they are associated with?
>
Filenames aren't going to do you a bit of good. Nowadays they're as
individualized as human beings. It's unfortunate that you deleted them,
because it will make it next to impossible to find out what they were.

When you say you noticed the following processes running, how did you
notice them? Were they visible in Task Manager? Or did you use some other
tool to "see" them?

Do you have any idea how the breakin occurred?

Is there a firewall between this host and the internet? Any intrusion
detection equipment? Any traffic-tracking software?

Paul Schmehl (pauls (at) utdallas (dot) edu [email concealed])
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
0?ì *?H?÷
 ?Ý0?Ù1 0 +0  *?H?÷
 ? Z0?s0?Ü !Cl6²V³h­?pú0
 *?H?÷
0ê1'0%U
The University of Texas System10U VeriSign Trust Network1;09U 2Terms of use at https://www.verisign.com/rpa (c)991200U )Class 2 CA - OnSite Individual Subscriber1-0+U$The University of Texas at Dallas CA0
050810000000Z
060810235959Z0ô1'0%U
The University of Texas System1-0+U $The University of Texas at Dallas CA1F0DU =www.verisign.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)9910U Mail Stop - UTD10U Paul Schmehl1!0 *?H?÷
 pauls (at) utdallas (dot) edu0 [email concealed]?0
 *?H?÷
0?Ä¡æ?9"S,/èâD¸'ɺLsÚXï3a»
?ÂÀ?+±ga,Ó?P$ñX^ù$ã?¡X?'ÈlÖ?úVç^ÚÅ?ÆÅïPN²3Jyfy­(ÅK®ûRTØ????P&8 ½z
¥Æ«¸??=ùÃu[§Þî?X®}ìS)$-|öI£? 0?0 U00U0pauls (at) utdallas (dot) edu0 [email concealed]?$U ?0?0? `?H?øE0?0++https://www.verisign.com/rpa-
kr0Ò+0ÅÂNOTICE: Private key may be recovered by VeriSign's customer who may be able to decrypt messages you send to certificate holder. Use is subject to terms at https://www.verisign.com/rpa-kr (c)99.0 `?H?øB?0uUn0l0j h f?dhttp://onsitecrl.verisign.com/TheUnive
rsityofTexasSystemTheUniversityofTexasatDallasCA/LatestCRL.crl0 U
?0U%0++0
 *?H?÷
AØ: ³+Æü6?'â*Q?
VËD"??mÂrJ´
_û$P?o:¼LP?È*$ªøÉUÄ¿f? É´ï՝?±ýºçY2ÝB6óÁ×ÎNøßÜÛ¾i?̶f:Ü
Ó?¡×ö÷S??ìÅa1ÌÑB{S~?q¡hUN©?l0?Ø0?A Aì=§?ÄöÕ ÝÑe0
 *?H?÷
0Á1 0 UUS10U
VeriSign, Inc.1<0:U 3Class 2 Public Primary Certification Authority - G21:08U 1(c) 1998 VeriSign, Inc. - For authorized use only10U VeriSign Trust Network0
990331000000Z
090330235959Z0ê1'0%U
The University of Texas System10U VeriSign Trust Network1;09U 2Terms of use at https://www.verisign.com/rpa (c)991200U )Class 2 CA - OnSite Individual Subscriber1-0+U$The University of Texas at Dallas CA0?0
 *?H?÷
0?¿êï?ë
Áù"ÁÑÁÌÛzÚ¾6Òp`0`åàS/5ôɨ)ÖÞ=ó?d}¾Ñ?Tx?ÿ¢xñû?«Ãü?LÂIA
áÀÒ¥×ü~ÿBQNtóÕhs¥]1øæ)%c¨#?Dj?°9ñïÛFXú¸ÏKózÁ¢I??#Cº?2?£¥0¢0
)U"0 ¤010UPrivateLabel1-1400 `?H?øB0DU =0;09 `?H?øE0*0(+https://www.verisign.com/RPA0U
0ÿ0 U0
 *?H?÷
S µÜ²¶?Ñ P?É8yÜȲI¿¸S?o?̲äz|ü£è_a^_??ZÒ?"ñ¼íñT¶T¦T¡T¼iÇ!7¢?9?§¬ ?è?]?
H9Y?$ C¼??Ü?táæã¾j¤?11#%?¯º,Q?Y¦£?Ò´ÎT0?0?l¹/`Ì??¡zF ¸[pl?¯0
 *?H?÷
0Á1 0 UUS10U
VeriSign, Inc.1<0:U 3Class 2 Public Primary Certification Authority - G21:08U 1(c) 1998 VeriSign, Inc. - For authorized use only10U VeriSign Trust Network0
980518000000Z
280801235959Z0Á1 0 UUS10U
VeriSign, Inc.1<0:U 3Class 2 Public Primary Certification Authority - G21:08U 1(c) 1998 VeriSign, Inc. - For authorized use only10U VeriSign Trust Network0?0
 *?H?÷
0?§?!t,çð?á?<!ñ?Û?é?ü¾_RÈÌ,V,¸i,Ì?­°?®yò9Á{?º
,èÂ?,ªié ôÇ©¤BÂ#OJØð¢û1lÉæo?'õæôLx?mëF?ú¹?ÉTò²Ä¯ÔFZÉ0ÿ
lõ-mÎw0
 *?H?÷
r.ùÑñqûÄ?öÅ^Q?@?¸hø??Ø❽ÿí¡æfê/ ôÊ×ê¥+?ö$`?MD.?¥Ä- Ó®xiorÚl®ðc?7æ»Ä0­wÌI5ªÏ؏Ѿ·?GsjT"4d-¶?Y[´QY:³ 
ôßg ô­2d^±Fr'?{ÅD´®1?Z0?V0ÿ0ê1'0%U
The University of Texas System10U VeriSign Trust Network1;09U 2Terms of use at https://www.verisign.com/rpa (c)991200U )Class 2 CA - OnSite Individual Subscriber1-0+U$The University of Texas at Dallas CA!Cl6²V³h­?pú0 + ±0 *?H?÷
 1  *?H?÷
0 *?H?÷
 1
060606023818Z0# *?H?÷
 1:)Ä3?ïn?1Ku?, Y?À\æ0R *?H?÷
 1E0C0
*?H?÷
0*?H?÷
?0
*?H?÷
@0+0
*?H?÷
(0
 *?H?÷
???ì ?à??SÿU|Òùÿ?s9M?÷î? ?üì¤ÇÉíÎNëñ°?ú??Ìaº/ZX}ÆðÃûÞåûZ???FË
ÌN9Ó? ??³ÄÍõ©¬?õ9Ä{ Z'Ê?±AÒÁ±üÿÕ á8¦?xK}½Ö3͝µD?QCBUã

[ reply ]
Re: Compromised Windows Server Jun 06 2006 02:12AM
Jamie Riden (jamesr europe com)


 

Privacy Statement
Copyright 2010, SecurityFocus