Internet Security Systems (http://www.iss.net) has released a scan tool to check for the MS03-026 patch on Windows servers. I've downloaded and run this tool, command-line only, on my servers and it reports correctly that they are patched. Running a scan on the 35-10.40.x range though yields 5 systems that are not patched. Not sure if there is a way to track down who they belong to or not to get them patched. You can grab the tool here: http://www.iss.net/support/product_utilities/ms03-026rpc.php ----------------------------------- Troy D. Murray Michigan State University College of Human Medicine Department of Medicine Immunohematology and Serology Laboratory B228 Life Science Building East Lansing, MI 48824-1034 (E) murrayt5at_private (P) 517.432.3545 (F) 517.353.5436 (W) http://msuhla.chm.msu.edu MSN: troymurrayat_private AIM: troymurray72 -----Original Message----- From: owner-msusecat_private [mailto:owner-msusecat_private] On Behalf Of Joe Budzyn Sent: Tuesday, August 05, 2003 8:56 AM To: msusecat_private Subject: Microsoft RPC DCOM exploit descriptions The following exploit descriptions are from the fine folks at Purdue University. These computers were hacked using the Microsoft RPC DCOM vulnerability. I have seen at lest one machine on our campus that matches Variant #1 so far. Please keep in mind that even if a computer does not match either variant below, it may still be hacked. As with any sort of post-hacking recovery, please use caution. The instructions involve steps which may damage an installed operating system. I have not tried to recover a computer with these instructions and can make no guarantees. Joe Budzyn -- Joe Budzyn Michigan State University - Incident Response Team Phone: (517) 355-4500 x162 http://www.security.msu.edu abuseat_private Exploit Variants: ---------------------------------------------------------------------------- ---- Variant 1 The following file is uploaded to vulnerable systems: %WINDIR%\system32\NX.EXE This file is a Paquet Builder self-executing (SFX) file. When executed on the compromised machine, the SFX creates the following file structure: %WINDIR%\system32\qossrv - - v1.0D (Haley) - - aysshell.exe - cdir.txt - csrss.exe - FireDeamon.exe - libeay32.dll - mswinsck.ocx - pskill.exe - secure.exe - ServUPerfCount.dll - setup.bat - ssleay32.dll - wget.exe - WinExplorer.dll - winmgnt.exe After uncompressing these files, the SFX file is instructed to launch the file %WINDIR%\system32\qossrv\SETUP.BAT to install additional files and services, as well as reconfigure DCOM. Even though SETUP.BAT runs from the command line, it is not seen by the user. Using the UPX unpacker the content of these files is: winmgnt.exe -- Serv-U Mini-FTP server csrss.exe -- pAdmin utility with H|TTP and DCC capabilities Secure.exe -- Possibly a secure shell? No good clues from strings output. Appears to reference VBA libraries After SETUP.BAT executes, the following files can be found: %WINDIR%\system32 - securedcom.reg - securedcom.reg.1 %WINDIR%\system32\qossrv - aysinstlog.txt - securedcom.reg - secure.bat - go.bat - SystemUptimeLog.ocx In addition, three services are installed using aysshell.exe. This is a utility by Prism Microsystems called At Your Service that allows a user to easily run almost any executable file or script as a service. Information on this product can be found at: (http://www.prismmicrosys.com/atyourservice/atyourservice-index.htm) This is used to launch csrss.exe, secure.exe, and winmgnt.exe as system services. The services can be viewed in the Services Console in Windows 2000 or Windows XP are as follows: "NTF" (this is WINMGNT.EXE) "NTP" (this is CSRSS.EXE) "NTS" (this is SECURE.EXE) WINMGNT.EXE is the executable for ServU-FTP. ServU-FTP is popular for this, as it is compact, and easily portable from machine to machine. It listens on ports 5555 and 48522. Checking for connections on these ports is also recommended. What calls GO.BAT or SECURE.BAT is undetermined, but both of these batch files simply import the securedcom.reg into the local registry. This disables the DCOM service. After this is complete, the "Computer Browser" and "Server" services are no longer running. They can be manually started, but do not run as expected on system boot up. How to clean machines infected with variant 1: Stop the Services: Net Stop "NTP" Net Stop "NTS" Net Stop "NTF" Unregister the OCX Files: regsvr32 /u /s %WINDIR%\system32\qossrv\mswinsck.ocx regsvr32 /u /s %WINDIR%\system32\qossrv\systemuptimelog.ocx Delete the Files: del %WINDIR%\system32\nx.exe del %WINDIR%\system32\securedcom.reg del %WINDIR%\system32\securedcom.reg.1 del %WINDIR%\system32\qossrv\*.* Remove the Directory: rd /s /q %WINDIR%\system32\qossrv Delete the Registry Value: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NTLDM Delete the Registry Keys: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NTF HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NTP HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NTS HKLM\SYSTEM\CurrentControlSet\Services\NTF HKLM\SYSTEM\CurrentControlSet\Services\NTP HKLM\SYSTEM\CurrentControlSet\Services\NTS Note : Some registry entries may be installed with special permissions so that only the SYSTEM has full control. To remove them, right click on the entry, click permissions, and give everyone full control. You will then be able to delete them. Modify the following Registry Key: HKLM\Software\Microsoft\Ole\EnableDCOM=Y Restart the Services: NET START "Server" NET START "Computer Browser" ---------------------------------------------------------------------------- ---- Variant 2 The services created by variant 2 are TCPIPenum, NTLMsDB, and IPconfig Payload is installed in WINNT regardless of your actual Windows folder. Administrators may wish to hand clean these folders as they may contain essential items. Also Note that the folders themselves have both the hidden and system attributes. You may need deltree which is included in the cleanup package in case you don't already have it. The following files must be deleted: C:\WINNT\system32\config\aysshell.exe C:\WINNT\system32\dhcp\csrsslsrms.dll C:\WINNT\system32\dhcp\explorer.exe C:\WINNT\system32\dhcp\fport.exe C:\WINNT\system32\dhcp\igfxtray.exe C:\WINNT\system32\dhcp\nc.exe C:\WINNT\system32\dhcp\ntlmconf.dll C:\WINNT\system32\dhcp\pskill.exe C:\WINNT\system32\dhcp\pslist.exe C:\WINNT\system32\dhcp\rar.exe C:\WINNT\system32\dhcp\reg.exe C:\WINNT\system32\dhcp\rmns.exe C:\WINNT\system32\dhcp\service.exe C:\WINNT\system32\dhcp\SystemUptimeLog.ocx C:\WINNT\system32\dhcp\tlister.exe C:\WINNT\system32\dhcp\wget.exe C:\WINNT\system32\dhcp\winexplorer.dll C:\WINNT\system32\dhcp\home\tar.exe C:\WINNT\system32\restore\binary.gif C:\WINNT\system32\restore\compressed.gif C:\WINNT\system32\restore\csrss.exe C:\WINNT\system32\restore\del.gif C:\WINNT\system32\restore\dir.gif C:\WINNT\system32\restore\folder.open.gif C:\WINNT\system32\restore\image1.gif C:\WINNT\system32\restore\image2.gif C:\WINNT\system32\restore\movie.gif C:\WINNT\system32\restore\MSWINSCK.OCX C:\WINNT\system32\restore\pdf.gif C:\WINNT\system32\restore\pskill.exe C:\WINNT\system32\restore\reg.exe C:\WINNT\system32\restore\script.gif C:\WINNT\system32\restore\service.exe C:\WINNT\system32\restore\sound2.gif C:\WINNT\system32\restore\tar.gif C:\WINNT\system32\restore\text.gif C:\WINNT\system32\restore\unknown.gif %windir%\system32\securedcom.reg %windir%\system32\wge.exe The following registry entry must be removed: Registry Value: HKEY_LOCAL_MACHINE\software\microsoft\windows\current_version\run\QoSs rv $ (runs %windir%\system32\restore\csrss.exe) Registry Keys: HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\root\legacy_tcpipenum HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\root\legacy_ntlmsdb HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\ipconfig HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\TCPIPenum HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\NTLMsDB
This archive was generated by hypermail 2b30 : Tue Aug 12 2003 - 10:57:48 PDT