Re: Russian IIS hack? Malicious Javascript code
From: AndyMac (andymac_at_someonestolemyemailaddy.com)
Date: 06/25/04
- Next message: Tom Pennington: "Re: Website allows everyone in, not matter what"
- Previous message: Ted: "Re: Russian IIS hack? Malicious Javascript code"
- In reply to: Ted: "Re: Russian IIS hack? Malicious Javascript code"
- Next in thread: Ron Guyor: "Re: Russian IIS hack? Malicious Javascript code"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 25 Jun 2004 12:42:54 +0100
Microsoft seem to think you're right.
http://www.microsoft.com/security/incident/download_ject.mspx
Listed as critical.
AndyMac.
"Ted" <td@netsol.com> wrote in message
news:WRTCc.150$Fy.102@twister.socal.rr.com...
> I suspect it's the PTC over port 443 vulnerability explained in MS04-011
was
> exploited due to not having the patch installed. I noticed an extra file
in
> the system32 folder called 1.exe 191,488 bytes dated 6/21/2004 or
> 6/22/2004... 1.exe was running in the task manager process. Tried
stopping
> and received Access Denied. I found the task in windows services marked
for
> Automatic Startup named "DNS Name Client" pointing to 1.exe. I submitted
> the 1.exe to Symantec.. They responded quickly with nothing wrong with
file.
> I still suspect this is a backdoor. I could not find agent.exe or
ads.vbs.
> I'm guessing they were deleted after being installed.
- Next message: Tom Pennington: "Re: Website allows everyone in, not matter what"
- Previous message: Ted: "Re: Russian IIS hack? Malicious Javascript code"
- In reply to: Ted: "Re: Russian IIS hack? Malicious Javascript code"
- Next in thread: Ron Guyor: "Re: Russian IIS hack? Malicious Javascript code"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
