[Intrusions] More on: 8.1M hits message

[Don Murdoch]

Hi all.... Today I squeezed in a few hours to work on the hacked box I
posted about yesterday
I found two - count'em, two - IRC servers on the system.  I found at least
two (I think three) remote admin
tools on the system. And some other stuff, like "msgfix" (a recent virus).
I wanted to let you all know what
I had found so far.... (vircd.exe, slave.exe, ra-serv.exe, radmin.exe, ....
rundll.dll and .exe in c:\...) OH - and a
servu ftp server named "wdumpevt.exe".
 
The system seems to have been probed over the wire, something searching for
one of the DCOM exploits.  We
have lots of events in the App log .... We also had a very odd event - it
appears to be a login event for a user
that is no longer on the system - at the same time as the binaries were
deposited (within one minute!).  I found
that to be really interesting ... and all of the time evidence suggest the
system was in a locked room, w/ no users ...
all day Saturday (school holiday in VA, no classes, fall break)
 
We are observing a second system on the network doing the same thing, and if
I can come up with some
more quantifiable info I will post it tomorrow.