check you administrators group for new accounts. change all passwords NOW. Unplug the machine if you can. Create a rule in the firewall that disallows any traffic from this box or to it.
You need to start clean up right away. This machine could potentially be used to attack anything in your network. You may need to rebuild the machine.
Run a manual AV entire scan of the system. If you can't find it, rebuild it! Find the Trojan. There may be no Trojan, they might just be using an un patched vulnerable application/service.
Move quickly! and best wishes!
The abuse point is included below:
inetnum: 81.49.131.0 - 81.49.131.255 netname: IP2000-ADSL-BAS descr: BSNIC106 Nice Bloc2 country: FR admin-c: WITR1-RIPE tech-c: WITR1-RIPE status: ASSIGNED PA remarks: for hacking, spamming or security problems send mail to remarks: [EMAIL PROTECTED] AND [EMAIL PROTECTED] mnt-by: FT-BRX changed: [EMAIL PROTECTED] 20021008 changed: [EMAIL PROTECTED] 20021015 changed: [EMAIL PROTECTED] 20030318 source: RIPE
route: 81.49.0.0/16 descr: France Telecom descr: Wanadoo Interactive remarks: ------------------------------------------- remarks: For Hacking, Spamming or Security problems remarks: send mail to [EMAIL PROTECTED] remarks: ------------------------------------------- origin: AS3215 mnt-by: RAIN-TRANSPAC changed: [EMAIL PROTECTED] 20020916 source: RIPE
role: Wanadoo Interactive Technical Role address: WANADOO INTERACTIVE address: 48 rue Camille Desmoulins address: 92791 ISSY LES MOULINEAUX CEDEX 9 address: FR phone: +33 1 58 88 50 00 e-mail: [EMAIL PROTECTED] e-mail: [EMAIL PROTECTED] admin-c: WITR1-RIPE tech-c: WITR1-RIPE nic-hdl: WITR1-RIPE mnt-by: FT-BRX changed: [EMAIL PROTECTED] 20010504 changed: [EMAIL PROTECTED] 20010912 changed: [EMAIL PROTECTED] 20011204 changed: [EMAIL PROTECTED] 20030428 source: RIPE
At 00:49 7/15/2003, Brad Staaterman (NEW ADDRESS) wrote:
Hi Group,
I found this text in a file called KeyRoWorld.log in a /winnt/system32/log/ folder. Anyone ever hear of this Keyro thing or seen this before? Yahoo search on it found nothing. Virus scan and ad-aware found nothing.
Thanks for your help.
81.49.131.69 unknown nogroup 2003/07/02:09:47:28 l "username incorrect (test)" 81.49.131.69 unknown nogroup 2003/07/02:09:49:37 l "username incorrect (KeyRoZen)" 81.49.131.69 KeyRoZen ADMIN 2003/07/02:09:50:50 l "Login incorrect , not allowed ip: (81.49.131.69)" 81.49.131.69 KeyRoZen ADMIN 2003/07/02:09:50:54 l "Login incorrect , not allowed ip: (81.49.131.69)" 81.49.131.69 KeyRoZen ADMIN 2003/07/02:09:51:13 l "Login incorrect , not allowed ip: (81.49.131.69)" 81.49.131.69 KeyRoZen ADMIN 2003/07/02:09:51:45 l "Login incorrect , not allowed ip: (81.49.131.69)" 81.49.131.69 KeyRoZen ADMIN 2003/07/02:09:52:04 l "succeeded" 81.49.131.69 KeyRoZen ADMIN 2003/07/02:09:53:09 l "succeeded" 81.49.131.69 test TEST 2003/07/02:09:55:41 l "succeeded" 81.49.131.69 unknown nogroup 2003/07/02:09:56:50 l "Password incorrect,username failed for 3 times(unknown)" 81.49.131.69 unknown nogroup 2003/07/02:09:56:50 l "username incorrect (builder)" 81.49.131.69 Builder BUILD 2003/07/02:09:56:59 l "Your IP is banned: (81.49.131.69)" 81.49.131.69 Builder BUILD 2003/07/02:10:00:28 l "succeeded" 81.49.131.69 Builder BUILD 2003/07/02:10:00:42 e "PORT failed (), unable to connect to 128.100.199.38 0 from (hidden address)" 81.49.131.69 Builder BUILD 2003/07/02:10:01:06 e "PORT failed (), unable to connect to ... 0 from (hidden address)" 81.49.131.69 Builder BUILD 2003/07/02:10:01:37 l "succeeded" 81.49.131.69 Builder BUILD 2003/07/02:10:01:43 w "/- 1" 1000000 61 81.49.131.69 Builder BUILD 2003/07/02:10:02:19 d "/- 1" 81.49.131.69 Builder BUILD 2003/07/02:10:25:44 l "succeeded" 81.49.131.69 Builder BUILD 2003/07/02:10:27:09 l "succeeded" 81.49.131.69 unknown nogroup 2003/07/02:03:56:26 l "username incorrect (Builder)" 81.49.131.69 unknown nogroup 2003/07/02:03:56:37 l "username incorrect (KeyRoZen)" 81.49.131.69 unknown nogroup 2003/07/02:03:57:26 l "Password incorrect,username failed for 3 times(unknown)" 81.49.131.69 unknown nogroup 2003/07/02:03:57:26 l "username incorrect (KeyRoZen)"
------
You are subscribed as [EMAIL PROTECTED]
Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=nt2000&text_mode=&lang=english
To unsubscribe send a blank email to %%email.unsub%%
------ You are subscribed as [EMAIL PROTECTED] Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=nt2000&text_mode=&lang=english To unsubscribe send a blank email to [EMAIL PROTECTED]
