I've seen this before, typicaly on machines which were compromised via netbios null session vulnerabilities. There may be a hidden recursive directory within rmtcfg, look at the dates on the files in the directory and do a search for files Modified/Created on at that time, I think I may have saved the whole directory structure, I'll take a look to see if there is any more information I can give you. Other then that, if the machine was running on a routable IP make sure you filter/shutdown any unecessary ports/services. If the PDC was not on a routable IP, you may have a malicious internal user, check the audit logs. I've actually seen this more on laptops which were plugged into a cable modem/DSL not running a personal firewall. Adam >Sorry if this post seems remedial, but I'm pretty new to security. > >Last week out NT4 PDC detected a virus (Pinfi.a) and put it in quaentine >as it should. While cleaning up the files, I noticed a new folder in the >WINNT/System32 directory: rmtcfg. It was filled with several .exe and >batch scripts. > >Evindetally, someone got in (with admin privledges) and tried to setup a >IRC server using a IRC.Flood variant. Luckily, the virus protection >kicked in before he could finish setting up the server. > >I ran handle.exe, listdlls.exe, pslist.exe, fport.exe, and netstat as >directed in "Detecting and Removing Trojans and Malicious Code from >Win2K." > >My question is, since the system was compromised and system files and the >registry have been replaced/added too, am I just better off formatting >the system partition and restoring from a good backup? > >Thanks, --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sun Jul 27 2003 - 11:31:22 PDT