Hey all

well someone got into one of our system because my dumb ass stupid!!! boss decided NOT to take te advice of buying a firewall router and just got a cisco1700 instead - when i told him about this problem he said " it is not about security" the cisco just wasnt set up right - NO it is about security - because we are not secure and someone got in and now yout just trying to cover your sorry butt! cause this is your fualt! AHHHHHHHHHHHHHHHHHHHHHH

So now someone as installed radmin on one of our systems - i can usuall get this stuff out but this person hid the service and i am having issues locating the exe files and dll's

can anyone assist?

It depends on how it was installed. It's a worm, so it's possible that one of your users received it via email or downloaded an infected program - make sure nobody is using music/video download programs, or any type of p2p sharing software. Might also want to watch your IM usage.

You should also change all your admin passwords (including your router password) to strong passwords. Weak passwords are easy to break - put some symbols and numbers in, and mix up your cases.

Lastly, a firewall properly configured (i.e. only allows certain types of traffice from both sides of the firewall) will prevent something like this from doing any harm to your network, even if it gets installed. If you have to, scour ebay for an old PC and put smoothwall on it and lock it down - only allow traffic types such as http, https, ftp, pop3 (if you don't have a local mail server), smtp, etc. Lock down all the other ports so worms like this don't spread as easily and can't transfer data out of your network.

Oh yeah, regarding removal - I wouldn't feel safe unless I wiped out the machine and reinstalled the OS.

^^^ that is he route i would want to take - unfortuantly due to my boss - that is not an options as this system is our main intranet server

i am SO p*****d off at him because of his total lack of knowledge in this matter and yet he refuses to understand the dammage that has / could be done!!!

he has no concept of security and thinks he knows everything - that is the type of person he is.

there is about 4 other systems in the office i am formating already cause i can. but that one i can not right now.

i am going to try and set up a new system for that same purpose and seemlessy switch them over, maybe

but for now i need to be able to clean out that system - i have tried all my spyware tools, checked radmin site etc etc - i am famiiliar with the tools used as back in my day i used to do this type of stuff, but i am no familiar with the latest ways of installing radmin and hiding the serveice etc.

Barely any business person has any concept of the value of security - 90% of your job as security is mitigation, ensuring steps are taken to correct things, and making sure people recognize things need to be done to prevent problems. This is a lot of work, and is much harder and more time consuming than just implementing the security on the technical side. You need to do a presentation for your boss, showing him how mindless it would be to steal his tax and banking information off his PC... Once he sees how simple it is, he will be much more apt to think security is worthwhile.

Slackfu - I have been reading some of your recent contributions to this forum, and I have found many of them insightful and useful. Keep up the good work, and rest assured your peers notice. :)

Once he sees how simple it is, he will be much more apt to think security is worthwhile.



He has seen this, but it doesnt seem to phase him - i even told the CEO today about the issue and he too was like "did they get our info?" i told him it is not likely since they wanted to use us as a scan stro (T1 was too slow to act as an FTP) - and go out from us to find other places - BUT they full well could of taken every last bit of customer information we had if they wanted and sell it off....

I am talking with a friend to help me more or less do what you suggested, get into their systems and take something and be like, that was easy - will you listen to me now.

At this second i am making a smoothwall system - insetad of abuy a firebox or something my boss wants me to take out cable modem router a netopia and put that AFTER the cisco to act as a firewall! - come on!!!

What gets me the most is that i am not a security person, i have been with this job 4 years and now that the one guy who was the Cisco guy - i have more or less taken on myself the role of network admin / security and you are right - it is a VERY hard job. - i am trying to suck in info as best i can, but i only have so much time in a day :(

I get the lame lines from your boss "well i need this to work - u going to pay for the buisness we lose" line when it is like - okay fine - i will do my daily support tasks, other misc jobs AND be network admin - so when do i get that raise? and it is not like we are losing any money from something being down in tis office, tis i know for fact!


ARGH!!!!!!!!! :D - anyone need a job ?

A google search on radmin comes up with a 3rd party software similare to vnc, dameware or pcanyware. Seems to me you should be able to unistall it via add/remove programs. Sorry if i'm wrong on this.

Sorry to here about your pain,,,,,

A google search on a Cisco 1700 results in this,,,,,appears to be a nat firewall etc,,,so
http://www.cisco.com/warp/public/cc/pd/rt/1700/index.shtml

let me guess, this site in question uses Outlook for their mail client, someone gets an email that says 'click here' etc, boom trojan/worm etc. I don't think it is a configuration issue with the cisco as it appears to be similar to a SOHO router but has more high end features. The base configuration, just hooking it up, should give you basic firewall/nat safety. I think it is more an issue of best practices about one does with their email and maybe the lack of virus protection @ the desktop. <don't flame me>

^^^ unfortuantly cant do it via add/remove - the version that has been installed is one that is tweaked and use in "illegal" hacking of sites - the hackers install this version, hide the service, compact it, change .exe names and it does not show in the add/remove.


i will chekc out more details on the 1700 - all ihave been told is that it has no firewalling features - god the guy who set this up really had no clue!!!!!

have not been able to format this system yet, gt it off the external IP and NATd via our cable for the http access

now, ihave cleaned out a TON of files, but i still have te radmin icon beside my clock, i cant close it or find the process or anything!!

helppppppppppppppppppppppppppppppppp