RE: Help with Exploit
- From: "Murda Mcloud" <murdamcloud@xxxxxxxxxxx>
- Date: Mon, 5 Feb 2007 14:30:40 +1000
Hi Vic.
I found that you can actually see the Security hive under HKLM if you run
regedit interactively:
One way of doing this is: run the command at in a cmd prompt like this:
at 9:23am /interactive regedit.exe
Change the time here to suit-that is a few minutes into the future.
When regedit opens up then you can simply check the hive but some keys are
'secret' and I don't know how to access them...yet.
I actually received a very similar flag from RR when running it on a
friend's machine and I'm wondering if the first two lines are normal.
-----Original Message-----
From: Murda Mcloud [mailto:murdamcloud@xxxxxxxxxxx]
Sent: Monday, February 05, 2007 8:52 AM
To: 'Vic Brown'; 'focus-ms@xxxxxxxxxxxxxxxxx'
Subject: RE: Help with Exploit
Hi Vic-are the timestamps/datestamps here significant to you?
bytes,HKLM\SECURITY\Policy\Secrets\SAC*Key name contains embedded nulls (*),8/13/2001 12:06,0
Key name contains embedded nulls (*),8/13/2001 12:06,0
bytes,HKLM\SECURITY\Policy\Secrets\SAI*
I've done some googling and am finding that the new RR version checks the
security hive(which I believe to be 'invisible' to regedit-can someone
correct me if I'm wrong?).
These two keys maybe some password store perhaps and are the timestamps
indicative of some s/w install date? Or even the OS?
You might find it useful to post on the Sysinternals forums too
http://forum.sysinternals.com/
-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of Vic Brown
Sent: Saturday, February 03, 2007 5:25 AM
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: Help with Exploit
Hello List,
We're experiencing a serious problem on our networking with an exploit.
After running the Microsoft rootkit detector we found the following:
Key name contains embedded nulls (*),8/13/2001 12:06,0
bytes,HKLM\SECURITY\Policy\Secrets\SAC*
Key name contains embedded nulls (*),8/13/2001 12:06,0
bytes,HKLM\SECURITY\Policy\Secrets\SAI*
Key name contains embedded nulls (*),3/24/2005 11:56,0
bytes,HKLM\SECURITY\Policy\Secrets\XATM:148d93c5-f0a9-4110-8d38-f44f341e286d
*
Hidden from Windows API.,1/31/2007 15:25,13.00
KB,C:\WINNT\system32\pfplgflt.dll
Hidden from Windows API.,1/31/2007 16:32,7.50
KB,C:\WINNT\system32\pfplgnfo.dll
Hidden from Windows API.,1/31/2007 16:32,9.50
KB,C:\WINNT\system32\pfplgprx.dll
Hidden from Windows API.,1/31/2007 16:32,12.50
KB,C:\WINNT\system32\pfplgscn.dll
Did some research on the pfplgflt.dll files and found this:
http://vil.nai.com/vil/content/v_122073.htm
All of the files and registry settings listed on the McAfee site were
found on the system, and also a strange a.exe file. Found some general
info about the a.exe file, but all of it was useless and did not relate
at all to this exploit IMHO. I guess it uses a.exe just because. The
boxes had the latest AV updates and engines, and also the latest OS
updates (Windows 2000). Even worst, after reinstalling one of the
boxes, and updating to the latest everything once more, the box was
infected once more. I am know trying to find a way to end this email
with a "professional" sounding question, but to be honest, I don't know
how to proceed with this one. Please help!
Thanks in advance.
Vic
-- _____________________
__/ \
/ Vic Brown |
| Comp Supp Spec |
| FSU-Panama |
| Phone: (507)-314-0367 |
| vabrown@xxxxxxxxxxxxxx |
\________________________/
----------------------------------------------------------------
- References:
- Help with Exploit
- From: Vic Brown
- Help with Exploit
- Prev by Date: RE: Share and NTFS permissions
- Next by Date: RE: Help with Exploit
- Previous by thread: Re: Help with Exploit
- Next by thread: RE: Help with Exploit
- Index(es):
Relevant Pages
|
