KB835732 uploaded and installed through KB835732 flaw

anonymous_at_discussions.microsoft.com
Date: 04/27/04 

Date: Tue, 27 Apr 2004 06:53:41 -0700

Are you sure that this wasn't the Automated Update Service
or a SUS / WUS server? Not very many crackers / malicious
hackers will log in as the System account and patch your
servers for you....

>-----Original Message-----
>On 4/25/2004, several Windows 2000 servers that we
thought had patched with the KB835732 patch back on April
15th or so were remotely accessed.
>
>Files that look like they can start an FTP server were
uploaded to c:\winnt\system32\spool\printers and
c:\winnnt\certsrv\certcontrol\x86. The Windows2000-
KB835732-x86-ENU.EXE file was uploaded to the c:\winnt
directory shortly after the files were uploaded to the
c:\winnnt\certsrv\certcontrol\x86 directory.
>
>Based on event logs, it looks like the SYSTEM user
installed the KB835732 patch on our servers. The servers
were not rebooted. One server seemed to be missing the
last 10 days or so of the SYSTEM log, and the LSASS
service crashed on that server within a few hours of the
server being remotely accessed.
>
>The Windows2000-KB835732-x86-ENU.EXE file was digitally
signed by Microsoft. We uninstalled it anyway, rebooted,
patched with all critical updates, and deleted uploaded
files.
>
>I don't know what this was. I'm posting here to see if
anyone else has had anything similiar occur.
>
>
>.
>

Relevant Pages

  • Re: Securing Your Computer
    ... > There are a number of ways to tell if your Windows system is hacked. ... > NNTP, SMTP SERVER AND USING ONE ISP AND A MODEM, HERE ARE A FEW TIPS. ... > have found the hackers love to install a bunch of their crap here. ...
    (comp.security.firewalls)
  • Re: 5.3-RELEASE: WARNING - WRITE_DMA interrupt timout
    ... My problem is not related to a SATA controller. ... Everything works pretty well on this server. ... the qmail MTA, an otherwise pretty powerful email program. ... I'm going to apply a patch to qmail in a few days. ...
    (freebsd-current)
  • Re: Is Your Windows System Hacked or Owned
    ... > NNTP, SMTP SERVER AND USING ONE ISP AND A MODEM, HERE ARE A FEW TIPS. ... > have found the hackers love to install a bunch of their crap here. ... SQL Server a Virtual Private Network and more then likely ...
    (comp.security.firewalls)
  • Re: Is Your Windows System Hacked or Owned
    ... > NNTP, SMTP SERVER AND USING ONE ISP AND A MODEM, HERE ARE A FEW TIPS. ... > have found the hackers love to install a bunch of their crap here. ... SQL Server a Virtual Private Network and more then likely ...
    (alt.computer.security)
  • Re: Is your system Hacked/Owned
    ... > There are a number of ways to tell if your Windows system is hacked. ... > NNTP, SMTP SERVER AND USING ONE ISP AND A MODEM, HERE ARE A FEW TIPS. ... > have found the hackers love to install a bunch of their crap here. ...
    (comp.security.firewalls)