Have I been hacked?

  • Thread starter Thread starter Cacique
  • Start date Start date
C

Cacique

I have a Win2K box behind a router, networked with an iMac and a Linux box.
I have 4 shared folders on the Win2K box that I access from the iMac and the
Linux box.

The other day I checked the contents of my shared folders and saw that in
the root directory of each shared folder there were a bunch of executable
files. I didn't put them there. The files were:

casvc.exe, ggtb32.exe, hqisvc32.exe, macdwXM.exe, prcview.exe, regsvc32.exe,
testfile, wmp9.exe, mssqlXP16.exe, srtsr32.exe, crss.exe, svchost.exe,
sdvhost.exe, stisvc32.exe, znksvc32.exe

Has someone broken into my system and placed these files in my shared
directories? If so for what purpose? I thought the router would keep the
hackers out, but what I should I do now if people can get into my system?

Thanks.
 
Well someone placed those files there. If you do not need users [ legitimate
or otherwise] to write to that folder then be sure to lockdown permissions
so that the folder can not be written to. Otherwise you may find it helpful
to enable auditing of logon events on that computer and possibly object
access so that you can audit write access to that folder, though digging
through object access events is not exactly user friendly. The fact that
svchost.exe and a file called sdvhost.exe are present is a bit troubling.
Svchost is a legitimate file though some malware will try and use a copy
that is not to infect the computer. Sdvhost.exe is not any legitimate file
that I know of or could see from a quick Google search.

I would be sure to run a full malware scan ASAP making sure that you have
the latest virus definitions loaded. In addition be sure that you are using
strong passwords, particularly for any accounts in the local administrators
group, that your virus scan also scans all emails, that you keep current
with critical security updates and Windows Updates, and run the Microsoft
Baseline Security Analyzer to check for basic security vulnerabilities. A
properly configured firewall device will protect from direct hack attempts
from the internet but it will not stop malware such as Trojans or infected
email attachments. You could possibly have a backdoor on your computer or
one of your other computers may also be compromised. SysInternals has free
tools such as Process Explorer, TCPView, and Autoruns that can help you in
tracking down rouge processes. The links below may help to get you
tarted. -- Steve


http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
http://support.microsoft.com/default.aspx?scid=KB;en-us;q248260
http://support.microsoft.com/default.aspx?scid=kb;en-us;301640
http://www.microsoft.com/technet/security/prodtech/windows2000/secmod144.mspx
http://www.microsoft.com/technet/security/tools/mbsahome.mspx
 
It could "just" be a computer on your network infected with a virus that has
the ability to spread via Windows NetBIOS file shares. Such viruses
commonly put malware executables on the root of a Windows server file share,
and the file names below can be common. To know for sure, scan them with an
up to date antivirus scanner and then look up how that virus spreads in the
virus encyclopedia on your antivirus vendor's web site. The easiest way is
to go to www.virustotal.com and submit the files there, you get an answer
back immediately using a dozen different scanners.
http://housecall.antivirus.com should also be able to identify those files
using TrendMicro AV.
 
Thanks, guys, for the help. I download Ad-Aware and Search and Destroy and
they found all kinds of junk on the system. I have cleaned up most of the
spyware using those two programs.

I have also visited symantec.com and did an online scan it detected the
W32.HLLW.Gaobot worm in many different files. I had already deleted the
executables in question, but I think it's likely, based on the description
of this virus, that it had placed them there. I am currently searching for
the best antivirus tool to use to get rid of it. Symantec has a removal
tool for some of the Gaobot variants, but unfortunately, it doesn't clean
off the one on my system. Maybe McAfee or Trend has something. I'll keep
searching. At any rate, I guess I'll bite the bullet and buy an AV program
to keep these things under control, and run the adware programs regularly.

Thanks again.
 
As Karl mentioned there are quality free for personal use anti virus
programs. Newegg.com has a deal right now where you can download Trend
Micro PC-cillin for $9.99 after rebates and I think you can download it to
try free for 30 days from TM.

http://www.newegg.com/Product/Product.asp?Item=0-N82E1681297339SF

TM also offers a free tool that can detect AND remove many common malwares
called Sysclean. You just download it and the pattern file, unzip the
patterns file, and run from a common folder. The links below explain
ore. --- Steve

http://www.trendmicro.com/download/dcs.asp
http://www.trendmicro.com/download/pattern.asp

Microsoft has an excellent free downloadable guide called Anti Virus in
Depth if you want to learn more about malware, how to protect yourself from
it, and what to do if you get it that is geared toward system admins and
power users. --- Steve

http://www.microsoft.com/technet/security/topics/serversecurity/avdind_0.mspx
 
In Steven L Umbach <[email protected]> had this to say:

My reply is at the bottom of your sent message:
Microsoft has an excellent free downloadable guide called Anti Virus
in Depth if you want to learn more about malware, how to protect
yourself from it, and what to do if you get it that is geared toward
system admins and power users. --- Steve

http://www.microsoft.com/technet/security/topics/serversecurity/avdind_0.mspx
Click to expand...

I snipped out the good stuff but wanted to say thank you. I'd never come
across that. It looks to be an interesting read actually. Much obliged.

Galen
--

"And that recommendation, with the exaggerated estimate of my ability
with which he prefaced it, was, if you will believe me, Watson, the
very first thing which ever made me feel that a profession might be
made out of what had up to that time been the merest hobby."

Sherlock Holmes
 
Hi Galen

Wow. I can't believe an inquisitive guy like you had not seen that guide
before. I think it is well worth reading as it goes beyond the usual detect
and clean type guides. --- Steve
 
In Steven L Umbach <[email protected]> had this to say:

My reply is at the bottom of your sent message:
Hi Galen

Wow. I can't believe an inquisitive guy like you had not seen that
guide before. I think it is well worth reading as it goes beyond the
usual detect and clean type guides. --- Steve
Click to expand...

Well, there's an awful lot of content on the internet. I've tried my best to
read it all (which is why I have no life) but that one seems to have escaped
me. I expected it to be a watered down base security guide aimed
specifically at malware threats. It turns out that it's fairly accurate, and
has even been updated within the past year.

I've checked it's online version, downloading it requires registering which
I happily did but received no confirmation link, and found chapter three to
be quite interesting. They gave the reasons to avoid multiple AV scanners
running at the same time. I think that the article would make a decent
PowerPoint presentation and am amazed that someone had the idea to include
physical security steps as well.

Good stuff. I'll probably have to try the registration process again just to
be able to download it. I have the MSDN subscription content from that time
but I don't have TechNet I'm afraid. Maybe I'll order that one of these
days.

Galen
--

"And that recommendation, with the exaggerated estimate of my ability
with which he prefaced it, was, if you will believe me, Watson, the
very first thing which ever made me feel that a profession might be
made out of what had up to that time been the merest hobby."

Sherlock Holmes
 
Back
Top