Sorry - sent that to Marc off-list by mistake. Meant to post it to the
list.
Regards,
Amer Karim
Nautilis Information Systems
e-mail: amerk (at) telus (dot) net [email concealed], mamerk (at) hotmail (dot) com [email concealed]
-----Original Message-----
From: Amer Karim [mailto:amerk (at) telus (dot) net [email concealed]]
Sent: 12 August 2003 14:39
To: 'Marc Fossi'
Subject: RE: Blaster vs. Kaht2
Out of curiosity, are there any symptomatic clues as to determining if the
system has been compromised by Kaht2? I can't seem to find any info on the
Symantec site.
Regards,
Amer Karim
Nautilis Information Systems
e-mail: amerk (at) telus (dot) net [email concealed], mamerk (at) hotmail (dot) com [email concealed]
-----Original Message-----
From: Marc Fossi [mailto:mfossi (at) securityfocus (dot) com [email concealed]]
Sent: 12 August 2003 10:49
To: Focus-MS
Subject: Blaster vs. Kaht2
I think that there seems to be a bit of confusion between Blaster (the
worm) and Kaht2 (the exploit/autorooter). Some people may have been
rooted by Kaht2 or one of the many other exploits available for the DCOM
RPC vulnerability and are thinking they were hit by the worm.
As far as I know, the obvious signs of Blaster are a mutex named "BILLY",
a file and process named "msblast.exe", and activity on ports 69(UDP) and
4444(TCP). Some of the exploits also use TCP 4444 for the remote shell
(Blaster was based on one of these exploits), so this may be where some of
the confusion lies.
Probably some people were rooted before yesterday, but checked their
systems after hearing of the worm and assumed that they were hit by the
worm, not one of the exploits.
Best policy if you were rooted - reformat and reinstall (with patches
this time). Who knows what other surprises you might have waiting for you.
Cheers
Marc Fossi
Symantec Corp.
www.symantec.com
------------------------------------------------------------------------
---
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
------------------------------------------------------------------------
---
list.
Regards,
Amer Karim
Nautilis Information Systems
e-mail: amerk (at) telus (dot) net [email concealed], mamerk (at) hotmail (dot) com [email concealed]
-----Original Message-----
From: Amer Karim [mailto:amerk (at) telus (dot) net [email concealed]]
Sent: 12 August 2003 14:39
To: 'Marc Fossi'
Subject: RE: Blaster vs. Kaht2
Out of curiosity, are there any symptomatic clues as to determining if the
system has been compromised by Kaht2? I can't seem to find any info on the
Symantec site.
Regards,
Amer Karim
Nautilis Information Systems
e-mail: amerk (at) telus (dot) net [email concealed], mamerk (at) hotmail (dot) com [email concealed]
-----Original Message-----
From: Marc Fossi [mailto:mfossi (at) securityfocus (dot) com [email concealed]]
Sent: 12 August 2003 10:49
To: Focus-MS
Subject: Blaster vs. Kaht2
I think that there seems to be a bit of confusion between Blaster (the
worm) and Kaht2 (the exploit/autorooter). Some people may have been
rooted by Kaht2 or one of the many other exploits available for the DCOM
RPC vulnerability and are thinking they were hit by the worm.
As far as I know, the obvious signs of Blaster are a mutex named "BILLY",
a file and process named "msblast.exe", and activity on ports 69(UDP) and
4444(TCP). Some of the exploits also use TCP 4444 for the remote shell
(Blaster was based on one of these exploits), so this may be where some of
the confusion lies.
Probably some people were rooted before yesterday, but checked their
systems after hearing of the worm and assumed that they were hit by the
worm, not one of the exploits.
Best policy if you were rooted - reformat and reinstall (with patches
this time). Who knows what other surprises you might have waiting for you.
Cheers
Marc Fossi
Symantec Corp.
www.symantec.com
------------------------------------------------------------------------
---
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
------------------------------------------------------------------------
---
[ reply ]