• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Need some serious help here

W

WillBurt

Member
First off let me give you an explaination of our network. We have 13 or so W2003 Servers, 130 Windows XP Machines (with ATLEAST sp2), and prolly 80 or so Win2k Computers and maybe some random WINNT Machines.

What Happened:
Today while we were all in a meeting a virus spread like wildfire. We use VNC (a variation of Tight and Real) and it definetly looks like it logged in the computer via VNC and ran some crazy script. We do have symatec enterprise for anti virus and basically the only response we got was yes its a backdoor trojan and we can try and fix it but we will need to format all 200+ computers. Which is not acceptable. So right now we are in the process of figuring out what we are going to do. I'm going to upload a SS on what we could capture of the script. I could definetly use any adive you guys could give me.

http://i110.photobucket.com/albums/n117/hots2k/untitled.jpg
 
first block port 21 stop that ah heck updating itself.

apart from the script to update itself what else are you seeing, have you indentified the virus yet?
 
I agree with Allanv---your firsts step is to identify what you have---and hopefully find a specific removal tool---then you are going to have to disconnect every computer from the network.
And clean them one by one---if you don't get them all clean--it looks like that ah heck will just reinfect every computer on the network.

Still better than a clean install for every computer.
 
Looks like the writer made an error in that script (the "Net Start Share" command). Maybe an attempt to re-start the Windows Firewall? ("Net Start SharedAccess")

Does your firewall keep traffic logs? You could at least see which of your PCs have attempted to contact that FTP site.

If the attacker was able to log into one of your PCs via VNC that you installed, then a trojan wasn't necessary to start the attack. But the attacker could have installed ANYTHING, including rootkits and backdoors, once logged in.

Off topic (and I'm sorry for your rather serious problem) --

Note to the "Vista UAC-haters":
That "Net Stop SharedAccess" command (that turns off Widows Firewall), wouldn't be able to run on its own with Vista's UAC turned on.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top