Another example of why rebuilding is ALWAYS the most secure answer when a machine has been compromised. I have a feeling that many of you that are just blindly trusting these cleaners are going to find out that this isn't enough. My 2 cents. Rebuild. JayW >>> "Phil Roginski" <philat_private> 08/13/03 07:39PM >>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We had some machines today with the same symptoms. We found out that they also have spybot worm on them. Once we got rid of that and msblaster everything is fine. Phil - ----- Original Message ----- From: "John Ives" <jivesat_private> To: "Micheal Patterson" <michealat_private>; <incidentsat_private> Sent: Wednesday, August 13, 2003 10:27 AM Subject: Re: MSBlast and other known exploits.. > The khat2 download has a binary infector, source code and a file called > macto.txt. The macro file has some information for downloading hacker > defender (hxdef), a user level root kit, that if installed as part of the > exploit could run at start up and do a very good job of hiding itself. The > best way to learn about hxdef to download the zip file > http://rootkit.host.sk. What your describing doesn't sound like hxdef, > unless something went wrong in the execution, but rather like a stability > problem that comes along when the rpc service crashes but the system hasn't > been restarted. Unfortunately the best way to discover hxdef on a system > is with an off-line analysis. > I've used FIRE to mount the disk of a rootkited windows box and then > compared the files with what it said were there when it was on-line. You > just have to be careful to make sure that you keep in mind normal hidden > files. In my case there were a group of files starting with MsMgr that > didn't appear elsewhere. This is of course the very short version of what > I went through to find it. > > John > > > At 07:44 AM 8/13/2003 -0500, you wrote: > >I've got reports of msblast infection that I've checked and they indeed do > >have msblast. Also, these systems all have what appears to be a corrupted > >control panel applet. The normal control panel shows up in a left hand frame > >and the contents of add/remove programs is missing. Also, various popup > >windows simply will not open. I've read that there was a known root kit > >that utilized the same dcom exploit called khat2 (spelling) but I'm not > >having much luck in locating the symptoms of systems that have been rooted > >in this manner. Any information would be appreciated. I will be recommending > >that these systems be blown away and reinstalled from clean media, I'm just > >looking for some info to verify what's eaten away at these things. > > > >Thank you. > > > >-- > > > >Micheal Patterson > >Network Administration > >Cancer Care Network > >405-733-2230 > > > > > > > >--------------------------------------------------------------------------- > >--------------------------------------------------------------------------- - > > ------------------------------------------------- > John Ives, GCWN, GSEC > Systems Administrator > College of Chemistry > (510) 643-1033 > > "If you spend more on coffee than on IT security, Then you will be hacked. > What's more, you deserve to be hacked." - Richard Clarke > > Any opinions expressed are my own and not those of the Regents of the > University of California. > > > -------------------------------------------------------------------------- - > -------------------------------------------------------------------------- -- > -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPzraI2EotYGToENLEQJSnQCg8D0se/q7n4jei+fuD0TPYkeL9IsAoKx3 gXRgrCIW0VuJTULb9cvnX2RR =z1av -----END PGP SIGNATURE----- --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Aug 14 2003 - 11:47:41 PDT