|
Focus on Microsoft
Help with Exploit Feb 02 2007 07:25PM Vic Brown (vabrown mailer fsu edu) (3 replies) RE: Help with Exploit Feb 04 2007 10:52PM Murda Mcloud (murdamcloud bigpond com) (1 replies) Re: Help with Exploit Apr 17 2007 10:11AM Nicolas RUFF (nicolas ruff gmail com) (1 replies) Re: Help with Exploit Apr 17 2007 01:39PM Harlan Carvey (keydet89 yahoo com) (2 replies) |
|
|
Privacy Statement |
I found that you can actually see the Security hive under HKLM if you run
regedit interactively:
One way of doing this is: run the command at in a cmd prompt like this:
at 9:23am /interactive regedit.exe
Change the time here to suit-that is a few minutes into the future.
When regedit opens up then you can simply check the hive but some keys are
'secret' and I don't know how to access them...yet.
I actually received a very similar flag from RR when running it on a
friend's machine and I'm wondering if the first two lines are normal.
-----Original Message-----
From: Murda Mcloud [mailto:murdamcloud (at) bigpond (dot) com [email concealed]]
Sent: Monday, February 05, 2007 8:52 AM
To: 'Vic Brown'; 'focus-ms (at) securityfocus (dot) com [email concealed]'
Subject: RE: Help with Exploit
Hi Vic-are the timestamps/datestamps here significant to you?
>> Key name contains embedded nulls (*),8/13/2001 12:06,0
bytes,HKLM\SECURITY\Policy\Secrets\SAC*
Key name contains embedded nulls (*),8/13/2001 12:06,0
bytes,HKLM\SECURITY\Policy\Secrets\SAI*
I've done some googling and am finding that the new RR version checks the
security hive(which I believe to be 'invisible' to regedit-can someone
correct me if I'm wrong?).
These two keys maybe some password store perhaps and are the timestamps
indicative of some s/w install date? Or even the OS?
You might find it useful to post on the Sysinternals forums too
http://forum.sysinternals.com/
-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of Vic Brown
Sent: Saturday, February 03, 2007 5:25 AM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Help with Exploit
Hello List,
We're experiencing a serious problem on our networking with an exploit.
After running the Microsoft rootkit detector we found the following:
Key name contains embedded nulls (*),8/13/2001 12:06,0
bytes,HKLM\SECURITY\Policy\Secrets\SAC*
Key name contains embedded nulls (*),8/13/2001 12:06,0
bytes,HKLM\SECURITY\Policy\Secrets\SAI*
Key name contains embedded nulls (*),3/24/2005 11:56,0
bytes,HKLM\SECURITY\Policy\Secrets\XATM:148d93c5-f0a9-4110-8d38-f44f341e
286d
*
Hidden from Windows API.,1/31/2007 15:25,13.00
KB,C:\WINNT\system32\pfplgflt.dll
Hidden from Windows API.,1/31/2007 16:32,7.50
KB,C:\WINNT\system32\pfplgnfo.dll
Hidden from Windows API.,1/31/2007 16:32,9.50
KB,C:\WINNT\system32\pfplgprx.dll
Hidden from Windows API.,1/31/2007 16:32,12.50
KB,C:\WINNT\system32\pfplgscn.dll
Did some research on the pfplgflt.dll files and found this:
http://vil.nai.com/vil/content/v_122073.htm
All of the files and registry settings listed on the McAfee site were
found on the system, and also a strange a.exe file. Found some general
info about the a.exe file, but all of it was useless and did not relate
at all to this exploit IMHO. I guess it uses a.exe just because. The
boxes had the latest AV updates and engines, and also the latest OS
updates (Windows 2000). Even worst, after reinstalling one of the
boxes, and updating to the latest everything once more, the box was
infected once more. I am know trying to find a way to end this email
with a "professional" sounding question, but to be honest, I don't know
how to proceed with this one. Please help!
Thanks in advance.
Vic
-- _____________________
__/ / Vic Brown |
| Comp Supp Spec |
| FSU-Panama |
| Phone: (507)-314-0367 |
| vabrown (at) mailer.fsu (dot) edu [email concealed] |
\________________________/
----------------------------------------------------------------
[ reply ]