Help with ExploitFeb 02 2007 07:25PM Vic Brown (vabrown mailer fsu edu) (3 replies)
Hello List,
We're experiencing a serious problem on our networking with an exploit.
After running the Microsoft rootkit detector we found the following:
Key name contains embedded nulls (*),8/13/2001 12:06,0
bytes,HKLM\SECURITY\Policy\Secrets\SAC*
Key name contains embedded nulls (*),8/13/2001 12:06,0
bytes,HKLM\SECURITY\Policy\Secrets\SAI*
Key name contains embedded nulls (*),3/24/2005 11:56,0
bytes,HKLM\SECURITY\Policy\Secrets\XATM:148d93c5-f0a9-4110-8d38-f44f341e
286d*
Hidden from Windows API.,1/31/2007 15:25,13.00
KB,C:\WINNT\system32\pfplgflt.dll
Hidden from Windows API.,1/31/2007 16:32,7.50
KB,C:\WINNT\system32\pfplgnfo.dll
Hidden from Windows API.,1/31/2007 16:32,9.50
KB,C:\WINNT\system32\pfplgprx.dll
Hidden from Windows API.,1/31/2007 16:32,12.50
KB,C:\WINNT\system32\pfplgscn.dll
Did some research on the pfplgflt.dll files and found this:
http://vil.nai.com/vil/content/v_122073.htm
All of the files and registry settings listed on the McAfee site were
found on the system, and also a strange a.exe file. Found some general
info about the a.exe file, but all of it was useless and did not relate
at all to this exploit IMHO. I guess it uses a.exe just because. The
boxes had the latest AV updates and engines, and also the latest OS
updates (Windows 2000). Even worst, after reinstalling one of the
boxes, and updating to the latest everything once more, the box was
infected once more. I am know trying to find a way to end this email
with a "professional" sounding question, but to be honest, I don't know
how to proceed with this one. Please help!
We're experiencing a serious problem on our networking with an exploit.
After running the Microsoft rootkit detector we found the following:
Key name contains embedded nulls (*),8/13/2001 12:06,0
bytes,HKLM\SECURITY\Policy\Secrets\SAC*
Key name contains embedded nulls (*),8/13/2001 12:06,0
bytes,HKLM\SECURITY\Policy\Secrets\SAI*
Key name contains embedded nulls (*),3/24/2005 11:56,0
bytes,HKLM\SECURITY\Policy\Secrets\XATM:148d93c5-f0a9-4110-8d38-f44f341e
286d*
Hidden from Windows API.,1/31/2007 15:25,13.00
KB,C:\WINNT\system32\pfplgflt.dll
Hidden from Windows API.,1/31/2007 16:32,7.50
KB,C:\WINNT\system32\pfplgnfo.dll
Hidden from Windows API.,1/31/2007 16:32,9.50
KB,C:\WINNT\system32\pfplgprx.dll
Hidden from Windows API.,1/31/2007 16:32,12.50
KB,C:\WINNT\system32\pfplgscn.dll
Did some research on the pfplgflt.dll files and found this:
http://vil.nai.com/vil/content/v_122073.htm
All of the files and registry settings listed on the McAfee site were
found on the system, and also a strange a.exe file. Found some general
info about the a.exe file, but all of it was useless and did not relate
at all to this exploit IMHO. I guess it uses a.exe just because. The
boxes had the latest AV updates and engines, and also the latest OS
updates (Windows 2000). Even worst, after reinstalling one of the
boxes, and updating to the latest everything once more, the box was
infected once more. I am know trying to find a way to end this email
with a "professional" sounding question, but to be honest, I don't know
how to proceed with this one. Please help!
Thanks in advance.
Vic
-- _____________________
__/ / Vic Brown |
| Comp Supp Spec |
| FSU-Panama |
| Phone: (507)-314-0367 |
| vabrown (at) mailer.fsu (dot) edu [email concealed] |
\________________________/
----------------------------------------------------------------
[ reply ]