RE: What the heck is this msblast.exe
From: Christopher M (christopherm_at_btinternet.com)
Date: 08/12/03
- Previous message: Rod Trent: "RE: What the heck is this msblast.exe"
- In reply to: Tim Mektrakarn: "RE: What the heck is this msblast.exe"
- Next in thread: Lee_Fisher_at_NAI.com: "RE: What the heck is this msblast.exe"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Tim Mektrakarn" <tim@loudpacket.com>, <focus-ms@securityfocus.com> Date: Tue, 12 Aug 2003 09:31:04 +0100
The RPC exploit itself leaves the server open to any action at all. We have
an open test machine which was hit with this and a hacker tried the exploit
against all our IP addresses. When he found this machine I was able to watch
as he installed a shadow copy of Serv-U FTP server software and configure
anonymous accounts to use our machine as an mp3 file server before I booted
him off. There's no need for any detectable viruses to be involved, as the
hacker can install whatever legitimate(?) software he likes.
Bear in mind that the hacker could have installed software to record
everything you do on the machine. He could be using any account for access.
Treat every file and process on there, and all activity as suspicious until
you've verified its authenticity. Your second instance of firedaemon sounds
classic. What service is it running? Ideally, you'd take the machine offline
and reformat, but I know this isn't always practical.
Regards,
Christopher Moss
|-----Original Message-----
|From: Tim Mektrakarn [mailto:tim@loudpacket.com]
|Sent: 11 August 2003 23:52
|To: focus-ms@securityfocus.com
|Subject: RE: What the heck is this msblast.exe
|
|
|Does this virus attack explorer.exe? I found this on my server, ran the
|MS patch, nav scans and now everytime explorer.exe launches it crashes
|immediately. Also have 2 instances of firedaemon.exe running but NAV
|doesn't detect any viruses.
|
|Tim
|
|
|
|-----Original Message-----
|From: Garrick Strom [mailto:Garrick.Strom@LifeWiseHealth.com]
|Sent: Monday, August 11, 2003 3:17 PM
|To: Minchu Mo; focus-ms@securityfocus.com
|Subject: RE: What the heck is this msblast.exe
|
|According to Symantec this is the long-awaited RPC exploiting worm.
|http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html
|
|-----Original Message-----
|From: Minchu Mo [mailto:morris_minchu@iwon.com]
|Sent: Monday, August 11, 2003 3:00 PM
|To: focus-ms@securityfocus.com
|Subject: What the heck is this msblast.exe
|
|
|
|The code resides in c:\winnt\system32.
|
|
|
|It somehow change my registry and pretend to be Window autoupdate in
|
|\Localsystem\software\microsoft\window\run, so it can run when I boot
|the
|
|machine. Now it sending out packet to random(?)IP 's endpoint port
|
|------------------------------------------------------------------------
|---
|Your network firewall and IDS products do not prevent Web application
|attacks - the most common form of online exploitation- resulting in Web
|defacement, data theft, sabotage and fraud.
|KaVaDo is the only company that provides a complete suite of Web
|application
|security products.
|Download a FREE whitepaper on "Security Policy Automation for Web
|Applications":http://www.securityfocus.com/Kavado-focus-ms
|------------------------------------------------------------------------
|---
|
|
|
|------------------------------------------------------------------------
|---
|Your network firewall and IDS products do not prevent Web application
|attacks - the most common form of online exploitation- resulting in Web
|defacement, data theft, sabotage and fraud.
|KaVaDo is the only company that provides a complete suite of Web
|application security products.
|Download a FREE whitepaper on "Security Policy Automation for Web
|Applications":http://www.securityfocus.com/Kavado-focus-ms
|------------------------------------------------------------------------
|---
|
|
|---------------------------------------------------------------------------
|Your network firewall and IDS products do not prevent Web application
|attacks - the most common form of online exploitation- resulting in Web
|defacement, data theft, sabotage and fraud.
|KaVaDo is the only company that provides a complete suite of Web
|application security products.
|Download a FREE whitepaper on "Security Policy Automation for Web
|Applications":http://www.securityfocus.com/Kavado-focus-ms
|---------------------------------------------------------------------------
|
|
---------------------------------------------------------------------------
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
---------------------------------------------------------------------------
- Previous message: Rod Trent: "RE: What the heck is this msblast.exe"
- In reply to: Tim Mektrakarn: "RE: What the heck is this msblast.exe"
- Next in thread: Lee_Fisher_at_NAI.com: "RE: What the heck is this msblast.exe"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
