BAckdoor and hacked ftp files in invisible folders

Discussion in 'malware problems & news' started by skullster, Apr 13, 2006.

Thread Status:
Not open for further replies.
  1. skullster

    skullster Registered Member

    Joined:
    Apr 13, 2006
    Posts:
    1
    Hi Folks

    My webserver was hacked and although I have cleaned all the ftp files vaious antispyware software has revealed Wiback and mroot.sys. These are located in hidden directories. By locating some of the hackers log and ini files Ihave managed to remove some of these by typing in the path in dos and FTP software. But there are still hidden folders and files in some locations and without knowing their names its seems impossible to see them.

    Can any one help me make these folder visible? (btw I have tried Explorer show all files etc, attrib from DOS, Ztree etc - Security task manager tells me mroot.exe is running but it cannot close it due to the fact the location seems not to exist.
     
  2. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Hi,

    Searching for hidden files can be very difficult, but fortunately there are a number of solutions to help.

    F-Secure BlackLight Rootkit Elimination Technology Free - http://www.f-secure.com/blacklight/

    RootkitRevealer an advanced rootkit detection utility Free - http://www.sysinternals.com/Utilities/RootkitRevealer.html

    IceSword the Highly acclaimed RK Detector - IceSword 1.12 English version Free - http://xfocus.net/tools/200509/1085.html

    Also you might some of the Find Hidden files/process Apps in this thread useful - http://www.sysinternals.com/Forum/forum_posts.asp?TID=962&PN=0&TPN=2 - Most of them are Free too !


    StevieO
     
  3. controler

    controler Guest

    Two other programs I would add are Process Explorer and Autoruns by
    Sysinternals. In Autoruns look at drivers and you may see some with no discription. Also look at the services.

    http://www.sysinternals.com/Forum/default.asp

    controler
     
Loading...
Thread Status:
Not open for further replies.