RE: What the heck is this msblast.exe
RMcElroy_at_mbe.com
Date: 08/12/03
- Previous message: Geoffrey Shorter: "attempt to launch a DCOM server?"
- Maybe in reply to: Minchu Mo: "What the heck is this msblast.exe"
- Next in thread: Scott Mercer: "RE: What the heck is this msblast.exe"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 12 Aug 2003 15:57:43 -0400 To: <SMercer@KUEndowment.org>, <focus-ms@securityfocus.com>
Has anyone had any issues with patching a SQL box and the box blue
screening upon reboot?
-----Original Message-----
From: Scott Mercer [mailto:SMercer@KUEndowment.org]
Sent: Tuesday, August 12, 2003 7:06 AM
To: focus-ms@securityfocus.com
Subject: RE: What the heck is this msblast.exe
Along with the firedaemon you might find the Serv-U-FTP and TCP services
running in your services applet. If you stop and disable those services,
system performance should return to normal. At that point, I would save
any critical data and then reformat that machine with the os and all
critical updates. NAV will not detect these because these are more of a
hack than virus activity. As Christopher says, this type of situation
could be using any user account that has been compromised. I would
suggest turning on logon/logoff auditing if you have not already, and
then look in the event log for logons from workstations that are not
part of your organization. If you find that an account is logging onto
your network from a workstation that you don't recognize, disable the
account or change the password.
-----Original Message-----
From: Christopher M [mailto:christopherm@btinternet.com]
Sent: Tuesday, August 12, 2003 3:31 AM
To: Tim Mektrakarn; focus-ms@securityfocus.com
Subject: RE: What the heck is this msblast.exe
The RPC exploit itself leaves the server open to any action at all. We
have an open test machine which was hit with this and a hacker tried the
exploit against all our IP addresses. When he found this machine I was
able to watch as he installed a shadow copy of Serv-U FTP server
software and configure anonymous accounts to use our machine as an mp3
file server before I booted him off. There's no need for any detectable
viruses to be involved, as the hacker can install whatever legitimate(?)
software he likes.
Bear in mind that the hacker could have installed software to record
everything you do on the machine. He could be using any account for
access. Treat every file and process on there, and all activity as
suspicious until you've verified its authenticity. Your second instance
of firedaemon sounds classic. What service is it running? Ideally, you'd
take the machine offline and reformat, but I know this isn't always
practical.
Regards,
Christopher Moss
|-----Original Message-----
|From: Tim Mektrakarn [mailto:tim@loudpacket.com]
|Sent: 11 August 2003 23:52
|To: focus-ms@securityfocus.com
|Subject: RE: What the heck is this msblast.exe
|
|
|Does this virus attack explorer.exe? I found this on my server, ran the
|MS patch, nav scans and now everytime explorer.exe launches it crashes
|immediately. Also have 2 instances of firedaemon.exe running but NAV
|doesn't detect any viruses.
|
|Tim
|
|
|
|-----Original Message-----
|From: Garrick Strom [mailto:Garrick.Strom@LifeWiseHealth.com]
|Sent: Monday, August 11, 2003 3:17 PM
|To: Minchu Mo; focus-ms@securityfocus.com
|Subject: RE: What the heck is this msblast.exe
|
|According to Symantec this is the long-awaited RPC exploiting worm.
|http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html
|
|-----Original Message-----
|From: Minchu Mo [mailto:morris_minchu@iwon.com]
|Sent: Monday, August 11, 2003 3:00 PM
|To: focus-ms@securityfocus.com
|Subject: What the heck is this msblast.exe
|
|
|
|The code resides in c:\winnt\system32.
|
|
|
|It somehow change my registry and pretend to be Window autoupdate in
|
|\Localsystem\software\microsoft\window\run, so it can run when I boot
|the
|
|machine. Now it sending out packet to random(?)IP 's endpoint port
|
|-----------------------------------------------------------------------
|-
|---
|Your network firewall and IDS products do not prevent Web application
|attacks - the most common form of online exploitation- resulting in Web
|defacement, data theft, sabotage and fraud.
|KaVaDo is the only company that provides a complete suite of Web
|application
|security products.
|Download a FREE whitepaper on "Security Policy Automation for Web
|Applications":http://www.securityfocus.com/Kavado-focus-ms
|-----------------------------------------------------------------------
-
|---
|
|
|
|-----------------------------------------------------------------------
|-
|---
|Your network firewall and IDS products do not prevent Web application
|attacks - the most common form of online exploitation- resulting in Web
|defacement, data theft, sabotage and fraud.
|KaVaDo is the only company that provides a complete suite of Web
|application security products.
|Download a FREE whitepaper on "Security Policy Automation for Web
|Applications":http://www.securityfocus.com/Kavado-focus-ms
|-----------------------------------------------------------------------
-
|---
|
|
|-----------------------------------------------------------------------
|----
|Your network firewall and IDS products do not prevent Web application
|attacks - the most common form of online exploitation- resulting in Web
|defacement, data theft, sabotage and fraud.
|KaVaDo is the only company that provides a complete suite of Web
|application security products.
|Download a FREE whitepaper on "Security Policy Automation for Web
|Applications":http://www.securityfocus.com/Kavado-focus-ms
|-----------------------------------------------------------------------
---- | | ------------------------------------------------------------------------ --- Your network firewall and IDS products do not prevent Web application attacks - the most common form of online exploitation- resulting in Web defacement, data theft, sabotage and fraud. KaVaDo is the only company that provides a complete suite of Web application security products. Download a FREE whitepaper on "Security Policy Automation for Web Applications":http://www.securityfocus.com/Kavado-focus-ms ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- Your network firewall and IDS products do not prevent Web application attacks - the most common form of online exploitation- resulting in Web defacement, data theft, sabotage and fraud. KaVaDo is the only company that provides a complete suite of Web application security products. Download a FREE whitepaper on "Security Policy Automation for Web Applications":http://www.securityfocus.com/Kavado-focus-ms ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- Your network firewall and IDS products do not prevent Web application attacks - the most common form of online exploitation- resulting in Web defacement, data theft, sabotage and fraud. KaVaDo is the only company that provides a complete suite of Web application security products. Download a FREE whitepaper on "Security Policy Automation for Web Applications":http://www.securityfocus.com/Kavado-focus-ms ---------------------------------------------------------------------------
- Previous message: Geoffrey Shorter: "attempt to launch a DCOM server?"
- Maybe in reply to: Minchu Mo: "What the heck is this msblast.exe"
- Next in thread: Scott Mercer: "RE: What the heck is this msblast.exe"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
