SecurityFocus

Help with Exploit Feb 02 2007 07:25PM
Vic Brown (vabrown mailer fsu edu) (3 replies)

RE: Help with Exploit Feb 05 2007 04:30AM
Murda Mcloud (murdamcloud bigpond com)

RE: Help with Exploit Feb 04 2007 10:52PM
Murda Mcloud (murdamcloud bigpond com) (1 replies)

Re: Help with Exploit Apr 17 2007 10:11AM
Nicolas RUFF (nicolas ruff gmail com) (1 replies)

Re: Help with Exploit Apr 17 2007 01:39PM
Harlan Carvey (keydet89 yahoo com) (2 replies)

Re: Help with Exploit Apr 17 2007 09:47PM
Nicolas RUFF (nicolas ruff gmail com)

RE: Help with Exploit Apr 17 2007 03:29PM
James D. Stallard (james leafgrove com) (2 replies)

RE: Help with Exploit Apr 17 2007 10:46PM
Murda Mcloud (murdamcloud bigpond com)

RE: Help with Exploit Apr 17 2007 05:31PM
Miha Pihler (Miha Pihler snt si)

Re: Help with Exploit Feb 02 2007 09:18PM
Josh Miller (joshua itsecureadmin com)

There are a couple of methods you could employ to determine whether or
not this is a problem:

1. Monitor the network using tcpdump, ethereal or other monitoring tool
and shut down all non-necessary services on this host. If you see
suspicious traffic, this might indicate who or where it is going to so
you can validate it and/or the contents.

2. Use the sysinternals tools from Microsoft to discover who is doing
what on your server:
download from:
http://www.microsoft.com/technet/sysinternals/default.mspx

One problem here is that if it's malicious code at work you're defending
hosts when you should be defending your network(s). Find out where the
problem is coming from and shut it down at the firewall.

Thanks,
Josh Miller

Vic Brown wrote:
> Hello List,
>
> We're experiencing a serious problem on our networking with an exploit.
> After running the Microsoft rootkit detector we found the following:
>
> Key name contains embedded nulls (*),8/13/2001 12:06,0
> bytes,HKLM\SECURITY\Policy\Secrets\SAC*
> Key name contains embedded nulls (*),8/13/2001 12:06,0
> bytes,HKLM\SECURITY\Policy\Secrets\SAI*
> Key name contains embedded nulls (*),3/24/2005 11:56,0
> bytes,HKLM\SECURITY\Policy\Secrets\XATM:148d93c5-f0a9-4110-8d38-f44f341e
286d*
>
> Hidden from Windows API.,1/31/2007 15:25,13.00
> KB,C:\WINNT\system32\pfplgflt.dll
> Hidden from Windows API.,1/31/2007 16:32,7.50
> KB,C:\WINNT\system32\pfplgnfo.dll
> Hidden from Windows API.,1/31/2007 16:32,9.50
> KB,C:\WINNT\system32\pfplgprx.dll
> Hidden from Windows API.,1/31/2007 16:32,12.50
> KB,C:\WINNT\system32\pfplgscn.dll
>
> Did some research on the pfplgflt.dll files and found this:
> http://vil.nai.com/vil/content/v_122073.htm
>
> All of the files and registry settings listed on the McAfee site were
> found on the system, and also a strange a.exe file. Found some general
> info about the a.exe file, but all of it was useless and did not relate
> at all to this exploit IMHO. I guess it uses a.exe just because. The
> boxes had the latest AV updates and engines, and also the latest OS
> updates (Windows 2000). Even worst, after reinstalling one of the
> boxes, and updating to the latest everything once more, the box was
> infected once more. I am know trying to find a way to end this email
> with a "professional" sounding question, but to be honest, I don't know
> how to proceed with this one. Please help!
>
> Thanks in advance.
> Vic
> -- _____________________
> __/ > / Vic Brown |
> | Comp Supp Spec |
> | FSU-Panama |
> | Phone: (507)-314-0367 |
> | vabrown (at) mailer.fsu (dot) edu [email concealed] |
> \________________________/
>
>
>
>
>
> ----------------------------------------------------------------
>
>
>

[ reply ]