General discussion

Locked

hacktool.flooder

By Eminent87 ·
Hi,

We have a mail server running exchange 2000 and there is this file called ZPVZYLH.EXE sitting in the root of C drive. NAVCE 7.6 detected it as a virus (hacktool.flooder) but when I try to research about the virus there were no information on symantec or mcafee site. even though NAV detected it wouldn't quarantine it, it just left it alone. I have tried deleting the file myself but it wouldn't let me; its saying that the file is in used. Has anybody came accross a similar situation that can shed some light.

I don't know if it's related to the virus but the same server is losing disk space daily, approximately 50 mg a day and I'm running out of disk space on the local C: drive. And the information store is on a different drive so the local C: drive should be stable but that is not the case. Any help will be greatly appreciated. Thanks!

This conversation is currently closed to new comments.

15 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

hacktool.flooder

by Alpha-Male In reply to hacktool.flooder

I found a little information here:

http://securityresponse.symantec.com/avcenter/venc/dyn/20697.html

It doesn't offer much though...just the consolation that the newest virus definitions would detect it.

I would take a look at the similar "hacktool" virii and the information associated. It looks to me like this is a trojan implanted by a hacker to compromise your system. I would immediately get in touch with Symantec for support! It is likely the hacker has full access to your system. What he is doing with it (likely related to the drive space issues you're seeing) could be very damaging. Don't delay a SECOND in dealing with this. Good luck...

Collapse -

hacktool.flooder

by Alpha-Male In reply to hacktool.flooder

another reference:

http://www.symantec.co.za/avcenter/venc/data/hacktool.html

Collapse -

hacktool.flooder

by Alpha-Male In reply to hacktool.flooder

Make sure to delete any spaces in the above URLs.

You may be able to reboot your system from a boot disk, etc and delete the file in question (symantec says it is not a virus per se, but a hacker's tool). That would only be the start though. Youreally need to do a complete security check of this system. At this point you could be blasting out spam all over the internet, participating in DoS attacks, just about anything. I don't mean to be a "doom-sayer" or unduly frighten you...I just wantto convey that you have the signature of a hacked mail server and there is a lot of damage that can be done. In addition, I'd say almost assuredly he has taken actions to open other back doors and breaches should you stop his present intrusion. Check the user accounts on that system. Look for ones you didn't create. Check permissions (see if suddenly someone has admin rights that they shouldn't for example). I would also get a packet sniffer on this box immediately and look at the traffic in and out!!! You may even be able to begin counter-measures and intrusion detection techniques to catch the culprit.

Collapse -

hacktool.flooder

by Alpha-Male In reply to hacktool.flooder

I wish you good luck...you're facing every network administrator's nightmare. Get that machine isolated from your LAN and begin countermeasures. If you have important data or worse confidential/critical data, I can't stress enough how much you need a security expert right now. If it isn't sensitive data, then you need to discuss with your superiors where to go from here. After this ordeal is over, work on tightening security and have an intrusion and counter-measures policy so you are prepared to handle this in future. I hope it works out okay for you.

Collapse -

hacktool.flooder

by Alpha-Male In reply to hacktool.flooder

Here are some sites to look at:

http://www.antionline.com/fight-back/
(basic but a starting place)

http://www.labmice.net/Security/default.htm
(particularly good. Check out intrusion detection and securing windows 2000 in particular)

http://snort.sourcefire.com/
(great software)

http://packet-level.com
(excellent resource...and if you can get advice from Laura, I'd listen!)

http://www.insecure.org/

http://htcia.org/

http://www.sans.org/newlook/home.php

http://www.washington.edu/People/dad/

Make SURE!!!! you get that server isolated from the rest of your network. Don't let the breach spread to other machines. Observe everything on that server. Use the netstat commands to get started . Get Ethereal (FREE packetsniffer) or a commercial sniffer. I would really recommend after you gather data you completely reformat and recreate the server unless a true security expert tells you otherwise. It is very difficult to tell what has been changes, what tools and back doors are in place and what harm has been done. Even a simple DIR command could have disasterous consequences just now. If there is any way to get help from an security consultant (ESPECIALLY if you have critical or confidential data) do it. Isolate that machine. Observe and test everything you can. Begin countermeasures with the help of a pro if you can.

Collapse -

hacktool.flooder

by Alpha-Male In reply to hacktool.flooder

Here is a great article from CERT:

http://www.cert.org/security-improvement/modules/m06.html

(delete any spaces in the URL)

Collapse -

hacktool.flooder

by Alpha-Male In reply to hacktool.flooder

The word from MS:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bestprac/netdefnd.asp

Collapse -

hacktool.flooder

by Alpha-Male In reply to hacktool.flooder

Interestingly enough, TechRepublic just put an article in the IT Manager section on handling a security breach and forensic tips. Take a look here:

http://www.techrepublic.com/article.jhtml?id=r00620020806mik01.htm&page=1&vf=tt

Collapse -

hacktool.flooder

by Eminent87 In reply to hacktool.flooder

Poster rated this answer

Collapse -

hacktool.flooder

by Eminent87 In reply to hacktool.flooder

I think I've been hit with a virus of some sort. All of the sudden my C:\winnt\temp folder was flooded with LB.tmp files. It has filled up my entire C: drive. I have tried deleting it but I couldn't, it says the files is in used. I need some kind ofresolution quick because i don't have any space left on my C: drive (10 mg left).

I believe the hacker is getting into the system and sending mass email out to ppl. Can someone please help me out?

Back to Windows Forum
15 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums