Thanks for the replies everyone... comments below... Philip Pemberton wrote: > Carey Fisher - NCS wrote: > >> Today, as I was sitting at my WINXP machine working, the START/Run window popped open and some unknown force typed the following: >> >> h**p://h*m*p*g*.*y*p*a*e*u*/system.exe [ URL declawed by PAP ] >> > > ClamAV says: > philpem@wolf:~/MALWARE$ clamscan system_exe > system_exe: Trojan.Mybot-1445 FOUND > ... > .... > If you don't have an antivirus installed, go find a clean machine, grab AVG > (from free.grisoft.com), burn it to CD, then install it. If AVG won't install, > get the firewall enabled and block *everything*. Go to > http://housecall.trendmicro.com/ and scan your system. Let it remove any > viruses it finds. Then install AVG. > Yeah, I use AVG and keep it up to date. I also used McAfee Virus Scan and nothing can find a virus on that machine. > I notice you're using Outlook Express (the X-Mailer header told me ). > FWIW, there are tons of exploits that allow remote code execution in OE. The > old double-extension bug, buffer overflows, the list goes on. I'd switch to > Mozilla Thunderbird (it's a pretty painless switch, Tbird can import most/all > of your mail and settings from OE). > I have Thunderbird on all but that one machine - in fact I'm using Thunderbird now. Maybe I should switch that last machine:) > What antivirus are you using? > I guess you've got a perimeter firewall on the router. Any firewall software > on the machine itself (e.g. ZoneAlarm)? > Just using the router for a firewall. I've scanned it from outside and no ports are open except VNC & SKYPE. Also, I've set the DHCP on the DSL Modem to reset every hour. > >> Anybody know anything about any of these apparent attacks. Any suggestions to prevent this particular exploit (START/Run)? >> > > I wonder if someone exploited VNC... What's your VNC password like - all > lowercase and less than 8 characters maybe? And no numbers or symbols? :) > That's what I'm wondering too... my pw is >8 char and numbers and letters. > I have my network set up so that you have to SSH in (and use a public key to > authenticate yourself with the server), then you have to tunnel from the > server to the machines inside the network. There are only a few ports open on > the router - SSH, SMTP and HTTP. If I need to connect to a machine on the LAN > from the Internet, I don't add a port-forward, I use an SSH tunnel. > I also run StartUpMonitor so any new programs can't get stuck in as autoruns. I'll run Ethereal a while and see what I catch. Maybe set up a different machine as a "honeypot". Carey -- http://www.piclist.com PIC/SX FAQ & list archive View/change your membership options at http://mailman.mit.edu/mailman/listinfo/piclist