| Author |
In despite need of assistance!
|
|
| ruscorp 2002-08-05, 7:42 pm |
| Greeting to all, I am currently !@#$ing bricks at the moment because I think I may have caught a break-in on one of our 2000 member servers.
Recently I logged on locally to our Win2K member svr to do some basic admin tasks like defrag and virus scan and I noticed a strange program in the system tray. I have never seen it or heard of it before, but it seems like some sort of BackOrfice or pcAnywhere type program. It's name is DameWare Mini Remote Control (http://www.dameware.com). Naturally my first instinct was to uninstall this rouge program, but it is not listed in Add/Remove progs. It's setting off our Norton AV Corp Edt. saying there's a Trojan horse in the system. My next idea was a warm reboot because I started to get paging errors and stuff! Alas the program still started again. I searched the hdd from top to bottom and could not find where the prog installed it's to. I can't every disable it in the systray because the Exit button is grayed out. So now this really makes me believe that someone is screwing with me. Then I decided to see if the program was running as a service and it was! So I then stopped and disabled the service from running. Then I rebooted and the program was gone from the systray and doesn't seem to be running. Right now I am port scanning the ip of the server to look for open ports and alerting all users to change their passwords immediately.
Now here is my question. I realize I'm not the best there is, but how in the world did this fly under my nose??? I am the sole computer guy, so I have no one else to rely on, but me. What precaution should I take to prevent this from happening again? Have I taken the proper action to rectify the problem? Heck I don't even know if the program is even totally wiped out. What should I do? | |
| Deja-vue 2002-08-05, 9:42 pm |
| That's a good one.
First of all, i would disconnect it from the Network, until you really know, you fixed it.
Then take a good look at your Firewall.
Hopefully, it is a Hardware-Firewall.
Check all of the open Ports and make sure, all of the un-nessesary ports are closed.
Did you check the Event viewer?
Check unusual Network Traffic, i would run a log on the Firewall, to see where any Attaks are coming from.
Perhaps from within your Network???
Check some of the Users Machines.
Download all Security-Patches, and download Servicepack 3.
You could create a Audit Policy to create a Log on successful Attemts.(same with failures or both)
Good Luck, i hope this gets you started.
 | |
| Tech Ranger 2002-08-05, 10:34 pm |
| There has to be more to the story than that which you have said. This program is a specialty tool used by system admins. Regular folks would have no idea as to what this is. If it had been downloaded from the web, it would simply enter through port 80. It could have been installed locally. But, if you are the only IT person, it doesn't make any sense. Is it possible that it has been on the machine for a long time and you never took note of it? | |
| thecomeons 2002-08-06, 4:56 am |
| can it be disabled via sysedit? | |
| TW2001 2002-08-06, 7:48 am |
| The time stamp on the installation files would also be helpful.
I agree with Deja...get that box off the network ASAP. | |
| ruscorp 2002-08-06, 10:24 am |
| It would seem I have everything under control now. I have examined the event logs and have found suspicious activities and reported the perpetrators to their respective internet service providers. If anyone would care to take a look at the security log. I have found some mysterious machines that do not belong to our lan. | |
| TW2001 2002-08-06, 11:19 am |
| What kind of firewall do you use? | |
| ruscorp 2002-08-06, 12:36 pm |
| The term 'firewall' and my company do not go together. 'Nuff said. | |
| TW2001 2002-08-06, 12:48 pm |
|  | |
| ruscorp 2002-08-06, 12:51 pm |
| quote:
Originally posted by TW2001
My sentiments exactly my friend. My boss is more concerned with getting nifty XP Pro on his machine to be up-to-date instead of a high priority, which is security. I think XP can take a back seat. | |
| KScheler 2002-08-06, 1:17 pm |
| Sounds like you got hacked! Since your boss doesn't think it's neeeded to spent $ on a firewall have you looked into ZoneAlarm? They have a free download for "personal" use. It might be better than nothing. Even though our campus has a firewall we use ZoneAlarm Pro on our workstations, mainly to protect us from our own students. | |
| ruscorp 2002-08-06, 5:54 pm |
| quote:
Originally posted by KScheler
Sounds like you got hacked! Since your boss doesn't think it's neeeded to spent $ on a firewall have you looked into ZoneAlarm? They have a free download for "personal" use. It might be better than nothing. Even though our campus has a firewall we use ZoneAlarm Pro on our workstations, mainly to protect us from our own students.
Hacked is such a harsh word. I prefer to use the term outsmarted. Your ZoneAlarm idea sounds good to me. I will look into it. |
|
|
|