RE: What the heck is this msblast.exe
From: Scott Mercer (SMercer_at_KUEndowment.org)
Date: 08/12/03
- Previous message: Dominick S.: "Re: DCOM worm is out"
- Maybe in reply to: Minchu Mo: "What the heck is this msblast.exe"
- Next in thread: Rich Logan: "RE: What the heck is this msblast.exe"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: focus-ms@securityfocus.com Date: Tue, 12 Aug 2003 09:05:44 -0500
Along with the firedaemon you might find the Serv-U-FTP and TCP services
running in your services applet. If you stop and disable those services,
system performance should return to normal. At that point, I would save any
critical data and then reformat that machine with the os and all critical
updates. NAV will not detect these because these are more of a hack than
virus activity. As Christopher says, this type of situation could be using
any user account that has been compromised. I would suggest turning on
logon/logoff auditing if you have not already, and then look in the event
log for logons from workstations that are not part of your organization. If
you find that an account is logging onto your network from a workstation
that you don't recognize, disable the account or change the password.
-----Original Message-----
From: Christopher M [mailto:christopherm@btinternet.com]
Sent: Tuesday, August 12, 2003 3:31 AM
To: Tim Mektrakarn; focus-ms@securityfocus.com
Subject: RE: What the heck is this msblast.exe
The RPC exploit itself leaves the server open to any action at all. We have
an open test machine which was hit with this and a hacker tried the exploit
against all our IP addresses. When he found this machine I was able to watch
as he installed a shadow copy of Serv-U FTP server software and configure
anonymous accounts to use our machine as an mp3 file server before I booted
him off. There's no need for any detectable viruses to be involved, as the
hacker can install whatever legitimate(?) software he likes.
Bear in mind that the hacker could have installed software to record
everything you do on the machine. He could be using any account for access.
Treat every file and process on there, and all activity as suspicious until
you've verified its authenticity. Your second instance of firedaemon sounds
classic. What service is it running? Ideally, you'd take the machine offline
and reformat, but I know this isn't always practical.
Regards,
Christopher Moss
|-----Original Message-----
|From: Tim Mektrakarn [mailto:tim@loudpacket.com]
|Sent: 11 August 2003 23:52
|To: focus-ms@securityfocus.com
|Subject: RE: What the heck is this msblast.exe
|
|
|Does this virus attack explorer.exe? I found this on my server, ran the
|MS patch, nav scans and now everytime explorer.exe launches it crashes
|immediately. Also have 2 instances of firedaemon.exe running but NAV
|doesn't detect any viruses.
|
|Tim
|
|
|
|-----Original Message-----
|From: Garrick Strom [mailto:Garrick.Strom@LifeWiseHealth.com]
|Sent: Monday, August 11, 2003 3:17 PM
|To: Minchu Mo; focus-ms@securityfocus.com
|Subject: RE: What the heck is this msblast.exe
|
|According to Symantec this is the long-awaited RPC exploiting worm.
|http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html
|
|-----Original Message-----
|From: Minchu Mo [mailto:morris_minchu@iwon.com]
|Sent: Monday, August 11, 2003 3:00 PM
|To: focus-ms@securityfocus.com
|Subject: What the heck is this msblast.exe
|
|
|
|The code resides in c:\winnt\system32.
|
|
|
|It somehow change my registry and pretend to be Window autoupdate in
|
|\Localsystem\software\microsoft\window\run, so it can run when I boot
|the
|
|machine. Now it sending out packet to random(?)IP 's endpoint port
|
|------------------------------------------------------------------------
|---
|Your network firewall and IDS products do not prevent Web application
|attacks - the most common form of online exploitation- resulting in Web
|defacement, data theft, sabotage and fraud.
|KaVaDo is the only company that provides a complete suite of Web
|application
|security products.
|Download a FREE whitepaper on "Security Policy Automation for Web
|Applications":http://www.securityfocus.com/Kavado-focus-ms
|------------------------------------------------------------------------
|---
|
|
|
|------------------------------------------------------------------------
|---
|Your network firewall and IDS products do not prevent Web application
|attacks - the most common form of online exploitation- resulting in Web
|defacement, data theft, sabotage and fraud.
|KaVaDo is the only company that provides a complete suite of Web
|application security products.
|Download a FREE whitepaper on "Security Policy Automation for Web
|Applications":http://www.securityfocus.com/Kavado-focus-ms
|------------------------------------------------------------------------
|---
|
|
|---------------------------------------------------------------------------
|Your network firewall and IDS products do not prevent Web application
|attacks - the most common form of online exploitation- resulting in Web
|defacement, data theft, sabotage and fraud.
|KaVaDo is the only company that provides a complete suite of Web
|application security products.
|Download a FREE whitepaper on "Security Policy Automation for Web
|Applications":http://www.securityfocus.com/Kavado-focus-ms
|---------------------------------------------------------------------------
|
|
---------------------------------------------------------------------------
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
---------------------------------------------------------------------------
---------------------------------------------------------------------------
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
---------------------------------------------------------------------------
- Previous message: Dominick S.: "Re: DCOM worm is out"
- Maybe in reply to: Minchu Mo: "What the heck is this msblast.exe"
- Next in thread: Rich Logan: "RE: What the heck is this msblast.exe"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
