Solved

Hacked!

Posted on 2002-06-12
9
4,934 Views
Last Modified: 2011-08-18
Hi experts,

I found some strange programs running on my pc and started to investigate, this is what I found:

Small program for remote controlling the PC from http://www.dameware.com (72kb) dntus26.exe

Small program for ftp-server tasksrv.exe (22kb)

Question: How the heck did he get them there?

I am not running any servers on my pc. And no I have not surfed to the Nimda infected pages.

How did he start the telnet service remotely?

Below is from the eventlog.

Thanks in advance.

2002-05-11      05:39:00      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\EXXPQOHR\wbk24A.tmp
is infected with the W32.Nimda.A@mm (dr) virus.; Access to the file was denied..
2002-05-11      05:39:00      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\EXXPQOHR\wbk24A.tmp
is infected with the W32.Nimda.A@mm (dr) virus.; Unable to repair this file..
2002-05-11      05:39:00      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\YJGFKXU3\readme[1].eml
is infected with the W32.Nimda.enc virus.; Access to the file was denied..
2002-05-11      05:39:00      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\YJGFKXU3\readme[1].eml
is infected with the W32.Nimda.enc virus.; Unable to repair this file..
2002-05-11      04:20:53      TlntSvr      Information      None      1001      N/A      HOMEPC1      The MS Telnet Service has shut down successfully.
2002-05-11      04:20:07      TlntSvr      Information      None      1000      N/A      HOMEPC1      The MS Telnet Service has started successfully.
2002-05-11      04:14:03      TlntSvr      Error      None      4000      N/A      HOMEPC1      An error occurred while attempting to create shell process.
2002-05-11      04:14:02      TlntSvr      Error      None      4000      N/A      HOMEPC1      An error occurred while attempting to create shell process.
2002-05-11      04:14:02      TlntSvr      Error      None      4000      N/A      HOMEPC1      An error occurred while attempting to create shell process.
2002-05-11      04:14:02      TlntSvr      Error      None      4000      N/A      HOMEPC1      An error occurred while attempting to create shell process.
2002-05-11      04:14:01      TlntSvr      Error      None      4000      N/A      HOMEPC1      An error occurred while attempting to create shell process.
2002-05-11      04:14:01      TlntSvr      Error      None      4000      N/A      HOMEPC1      An error occurred while attempting to create shell process.
2002-05-11      04:14:00      TlntSvr      Error      None      4000      N/A      HOMEPC1      An error occurred while attempting to create shell process.
2002-05-11      04:13:59      TlntSvr      Error      None      4000      N/A      HOMEPC1      An error occurred while attempting to create shell process.
2002-05-11      04:13:56      TlntSvr      Error      None      4000      N/A      HOMEPC1      An error occurred while attempting to create shell process.
2002-05-11      03:31:22      FrontPage 4.0      Warning      None      1000      N/A      HOMEPC1      Microsoft FrontPage Server Extensions:
   error #50001 message: there is no environment variabel of type SERVER_PORT.
2002-05-11      03:27:55      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FrontPageTempDir\_vti_inf.html
was infected with the W32.Nimda.A@mm(html) virus.; The file was repaired..
2002-05-11      03:22:58      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FrontPageTempDir\_vti_inf.html
was infected with the W32.Nimda.A@mm(html) virus.; The file was repaired..
2002-05-11      01:37:54      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CMH0YNG2\wbk19D.tmp
is infected with the W32.Nimda.A@mm (dr) virus.; Access to the file was denied..
2002-05-11      01:37:54      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CMH0YNG2\wbk19D.tmp
is infected with the W32.Nimda.A@mm (dr) virus.; Unable to repair this file..
2002-05-11      01:37:53      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\EXXPQOHR\readme[1].eml
is infected with the W32.Nimda.enc virus.; Access to the file was denied..
2002-05-11      01:37:53      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\EXXPQOHR\readme[1].eml
is infected with the W32.Nimda.enc virus.; Unable to repair this file..
2002-05-11      01:37:52      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\EXXPQOHR\readme[1].eml
is infected with the W32.Nimda.enc virus.; Access to the file was denied..
2002-05-11      01:37:52      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\EXXPQOHR\readme[1].eml
is infected with the W32.Nimda.enc virus.; Unable to repair this file..
2002-05-11      01:37:52      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\EXXPQOHR\readme[1].eml
is infected with the W32.Nimda.enc virus.; Access to the file was denied..
2002-05-11      01:37:52      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\EXXPQOHR\readme[1].eml
is infected with the W32.Nimda.enc virus.; Unable to repair this file..
2002-05-11      01:37:45      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\YJGFKXU3\170.143.172[1].htm
was infected with the W32.Nimda.A@mm(html) virus.; The file was repaired..
0
Comment
Question by:drno007
  • 5
  • 4
9 Comments
 
LVL 17

Expert Comment

by:Wakeup
Comment Utility
drno007,

You dont need to have a server or anything to get Nimda.  You can be infected from just opening an email.  Do you need to get this Nimda Virus removed?
http://securityresponse.symantec.com/avcenter/venc/data/w32.nimda.a@mm.removal.tool.html

Go there and follow the instructions!
I would double tripple quadruple check to make sure it is gone.
0
 
LVL 1

Author Comment

by:drno007
Comment Utility
Nimda has never been active on my pc.

These are the files caught by norton as indicated in the previous eventlog.

The file "C:\program files\norton antivirus\quarantine\incoming\ap0.htm" is infected with W32.Nimda.A@mm. The file is repaired.

The file "C:\program files\norton antivirus\quarantine\incoming\ap0.html" is infected with W32.Nimda.A@mm. The file is repaired.

The file "C:\program files\norton antivirus\quarantine\incoming\ap1.html" is infected with W32.Nimda.A@mm. The file is repaired.

W32.Nimda.A@mm has been successfully removed
from your computer!

The total number of the scanned files: 45008
The number of deleted files: 0
The number of repaired files: 3
The number of viral processes terminated: 0
The Guest account was removed from the administrators group: NO
The Guest account was disabled: YES
The number of shares found: 6
The number of shares secured for administrator use only: 6
The number of registry keys deleted: 0

0
 
LVL 17

Accepted Solution

by:
Wakeup earned 100 total points
Comment Utility
well then it was on your system and was removed by norton.... according to the event logs....they may not have been active, or memory resident....but they did reside on your puter at one point in time since 3 of the files on your machine have been repaired.

Also I do not understand what kind of help you need.  If the viruses have since been removed...My suggestion is to get a firewall up.  That may help as well...Like ZoneAlarm or Norton Internet Security.  There are lots of Backdoor Trojans and the like...that this so called hacker may have used to access your system.  And may have gotten Nimda onto your machine via those backdoor trojans.

0
 
LVL 17

Expert Comment

by:Wakeup
Comment Utility
Here are some things to try:
trojan remover
http://www.simplysup.com/tremover/

www.zonealarm.com
free dowload personal use

0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 1

Author Comment

by:drno007
Comment Utility
I am accepting this comment and reinstalling my pc. Also going to install that firewall.

thanks for the help.
0
 
LVL 17

Expert Comment

by:Wakeup
Comment Utility
Why a C grade?  Is there something that I did not answer?  Also you didn't give me any chance of getting a better grade.  I asked what you were asking.....
0
 
LVL 1

Author Comment

by:drno007
Comment Utility
The question was: how did he manage to start the telnet server service remotely? he obviously tried to get it started a few times before he succeded, as indicated by the eventlog. once that is done it would only be a matter of seconds before he could tftp the small programs to my pc.

Also I hate firewalls. only a bunch of false alarms.
A huge marketing scam in my opinion.

The C grade may have been unfair, but I am very tired from staying up until 3:00am and getting up again 7:30am.

Sorry, make it up to next time, OK?
0
 
LVL 1

Author Comment

by:drno007
Comment Utility
also a translation of this page would be fun to have.

http://ddjia.51.net/hebackwenzhan/page1/wenzhanmulu21.htm
0
 
LVL 1

Author Comment

by:drno007
Comment Utility
also a translation of this page would be fun to have.

http://ddjia.51.net/hebackwenzhan/page1/wenzhanmulu21.htm
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
In this article we will discuss all things related to StageFright bug, the most vulnerable bug of android devices.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now