On Wednesday 13 Aug 2003 1:44 pm, Micheal Patterson wrote: > I've read that there was a known root kit >that utilized the same dcom exploit called khat2 (spelling) but I'm not >having much luck in locating the symptoms of systems that have been rooted >in this manner. Any information would be appreciated. KaHT2 is/was available from http://www.croulder.com/haxorcitos/kaht2.zip. It's basically the exploit wrapped in a fast portscanner so it can do large subnets quickly. Symptoms of the exploits seem to include: 1) machines rebooting with an error saying the dcom/rpc service has shut down 2) Additional services listening on port 4444 (kaht2 also seems to use port 666 but I haven't looked far enough through the source code to see what it's used for). 3) An entry in HKLM\Software\Microsoft\Windows\CurrentVersion\Run called "Windows Auto Update" with the data "msblast.exe", causing the exploit to be loaded at boot time. 4) Vast amount of RPC traffic on ports 135,137 & 445 across the network and (on Aug 16) attempts to DoS windowsupdate.com. Many security companies (eeye, ISS etc) have vulnerability scanners to help locate affected hosts. I haven't tested any of them so I don't know how reliable they are. cheers john --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Aug 13 2003 - 19:49:30 PDT