Hi.
A friend's windows 2000 game server was remotely administered via VNC. Unfortunately, it was an old version, and he hadn't used any encryption on it. So, two days ago, someone broke in and started screwing around with it. Luckily, we were there at the time and noticed within a couple of hours, and disconnected it.
The perp had apparently been using it as a proxy/gateway for a yahoo VoIP service, registering a dozen virtual phone numbers on the service with a probably stolen credit card number and making a number of short calls to numbers in the US. When we kicked him off, the yahoo windows were still open and logged in, so we were able to save out a load of info on what accouts were opened and when, the phone numbers, the numbers called, the email address, and so on. I also saved the history of the command line buffer, which had some IP addresses of interest as well.
All this information will be passed on to Yahoo's abuse department, so they can ignore it/deal with it, depending on their whim.
Anyway, having deleted everything we could find that he had installed (an IRC trojan seemed to be most of it, in addition to the VoIP app), we removed and reinstalled all the virus checkers, rootkit detectors, spyware removers, and so on. The machine was thoroughly sanitised, and is now running UltraVNC with RC4 encryption tunneled over SSH with different encryption. It should be fairly difficult to compromise it again, I hope.
However, there is a process that keeps popping up in the task manager, named vjvl.exe. Neither of us can think of anything legitimate it could be, and google draws a blank. I'm going to hunt it down and kill it, but does anyone know what it is?
pca
_________________________
Experience is what you get just after it would have helped...