Thread about the DonationCoder.com server Shutdown on March 2nd, 2008

ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

News and Reviews > Official Announcements

<< < (3/4) > >>

Lashiec:
Is it only ntos.exe? I checked and I have an ntoskrnl.exe in the system32 folder. Is that safe?
-Deozaan (March 07, 2008, 02:13 PM)
--- End quote ---

Check up the link to the Symantec information page about the virus that mouser included in the first post for more details, but that file comes with Windows by default.

mouser:
only ntos.exe is evil. the ntosekrnl.exe is a normal file that you have nothing to worry about.

f0dder:
only ntos.exe is evil. the ntosekrnl.exe is a normal file that you have nothing to worry about.-mouser (March 07, 2008, 04:09 PM)
--- End quote ---
Yeah, and please do not delete that file :)

ntos.exe was obviously chosen to try and camouflage it next to ntoskrnl.exe - the trojan code even grabs filetime from ntoskrnl.exe and sets the downloaded ntos.exe filetimes based on that!

Stoic Joker:
Automated attacks are (unfortunately) quite common these days. The attack model used to be pick a target, probe it for weaknesses, and then try to exploit one of them (this actually required knowledge & skill). But now exploits are picked ahead of time in an almost shopping cart manner and are then launched against (completely) random servers using service/port scans in the hopes of finding a "soft" target that (via scripted exploit) can just be popped open, and be prepped and for ravaging when some lazy assed "attacker" gets back from lunch.

One of the biggest problems with this (or any) type of attack is that most sites/companies try to conceal the security breach and make every effort to hide the fact that it happened ... Which only server to assist it in propagating further. Foolishly prideful admins not wanting to admit "something went wrong" trying to hide "the mess", which only serves to spread this kind of exploit farther and faster.

In that regard I would like to sincerely applaud Mouser in his handling of this event because he actually made the effort to use common sense, and not only inform visitors that something had happened, but what had happened, and what they could do to clean their systems and prevent it from spreading it further. If more admins had the stones to do that ... The Internet would be a lot safer.

So I would just like to say Thank You Mouser, for doing the right thing!

Trust & Respect,
Stoic Joker

f0dder:
I agree with Joker, while it's never a fun thing to admit you've been hacked & it might be a bit unnerving to the end-users, it's the proper thing to do.

Btw it doesn't seem like it was one of those fully automated drive-by hacks in this case, too much fumbling around showing in the log files.

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version