compromised Real Server 8
From: Brian Collins (listbc_at_newnanutilities.org)
Date: 08/29/03
- Previous message: Bruce Ediger: "Re: Buffer Overflow in Windows Alpha systems"
- Next in thread: morning_wood: "Re: compromised Real Server 8"
- Reply: morning_wood: "Re: compromised Real Server 8"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 29 Aug 2003 09:24:19 -0400 To: incidents@securityfocus.com
I have 2 Real Audio servers, version 8, which have apparently been
compromised. The machines were patched up to date from Windows Update, so
we're pretty sure it wasn't Msblaster or its variants (though we did have a
couple of patched machines still get hit). And it's traffic patterns seem
to confirm this. So we think it was possibly the Real Server vulnerability
announced recently. (http://www.securityfocus.com/bid/8476)
In the meantime, I believe there's a rootkit installed on it, but I'm not
sure exactly how to proceed. They've been good to get me training, but I'm
about 2 months shy of going to any incident handling and forensics
training, so most of what I've learned I've picked up from here and other
places in the security community.
FWIW, I've run fport and I see 2 things that don't look normal - the
executables running from "C:\WINNT\system32\spool\drivers...."
Can anyone tell me if they've seen rootkits that use a similar m/o. I
haven't put these guys back on the network yet to capture any packets.
Thanks for any assistance,
Brian Collins
Sys Admin
Newnan Utilities
******* output of fport ***********
Pid Process Port Proto Path
444 svchost -> 135 TCP C:\WINNT\system32\svchost.exe
8 System -> 445 TCP
500 msdtc -> 1025 TCP C:\WINNT\System32\msdtc.exe
856 MSTask -> 1033 TCP C:\WINNT\system32\MSTask.exe
8 System -> 1078 TCP
892 winnt32 -> 1337 TCP
C:\WINNT\system32\spool\drivers\color\1033\TMP\1033\aux\con\nul\COM\_HHROOT_\System\winnt32.exe
500 msdtc -> 3372 TCP C:\WINNT\System32\msdtc.exe
824 netinfo -> 4899 TCP
C:\WINNT\system32\spool\drivers\color\1033\TMP\1033\aux\con\nul\COM\_HHROOT_\System\netinfo.exe
972 WinVNC -> 5800 TCP C:\Program Files\RealVNC\WinVNC\WinVNC.exe
972 WinVNC -> 5900 TCP C:\Program Files\RealVNC\WinVNC\WinVNC.exe
444 svchost -> 135 UDP C:\WINNT\system32\svchost.exe
8 System -> 445 UDP
236 services -> 1026 UDP C:\WINNT\system32\services.exe
---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
technical IT security event. Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------
- Previous message: Bruce Ediger: "Re: Buffer Overflow in Windows Alpha systems"
- Next in thread: morning_wood: "Re: compromised Real Server 8"
- Reply: morning_wood: "Re: compromised Real Server 8"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
