The khat2 download has a binary infector, source code and a file called macto.txt. The macro file has some information for downloading hacker defender (hxdef), a user level root kit, that if installed as part of the exploit could run at start up and do a very good job of hiding itself. The best way to learn about hxdef to download the zip file http://rootkit.host.sk. What your describing doesn't sound like hxdef, unless something went wrong in the execution, but rather like a stability problem that comes along when the rpc service crashes but the system hasn't been restarted. Unfortunately the best way to discover hxdef on a system is with an off-line analysis. I've used FIRE to mount the disk of a rootkited windows box and then compared the files with what it said were there when it was on-line. You just have to be careful to make sure that you keep in mind normal hidden files. In my case there were a group of files starting with MsMgr that didn't appear elsewhere. This is of course the very short version of what I went through to find it. John At 07:44 AM 8/13/2003 -0500, you wrote: >I've got reports of msblast infection that I've checked and they indeed do >have msblast. Also, these systems all have what appears to be a corrupted >control panel applet. The normal control panel shows up in a left hand frame >and the contents of add/remove programs is missing. Also, various popup >windows simply will not open. I've read that there was a known root kit >that utilized the same dcom exploit called khat2 (spelling) but I'm not >having much luck in locating the symptoms of systems that have been rooted >in this manner. Any information would be appreciated. I will be recommending >that these systems be blown away and reinstalled from clean media, I'm just >looking for some info to verify what's eaten away at these things. > >Thank you. > >-- > >Micheal Patterson >Network Administration >Cancer Care Network >405-733-2230 > > > >--------------------------------------------------------------------------- >---------------------------------------------------------------------------- ------------------------------------------------- John Ives, GCWN, GSEC Systems Administrator College of Chemistry (510) 643-1033 "If you spend more on coffee than on IT security, Then you will be hacked. What's more, you deserve to be hacked." - Richard Clarke Any opinions expressed are my own and not those of the Regents of the University of California. --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Aug 13 2003 - 17:31:42 PDT