Re: Help with Exploit

Fri, 02 Feb 2007 14:29:39 -0800

There are a couple of methods you could employ to determine whether or not this is a problem:
1. Monitor the network using tcpdump, ethereal or other monitoring tool and shut down all non-necessary services on this host. If you see suspicious traffic, this might indicate who or where it is going to so you can validate it and/or the contents. 


2. Use the sysinternals tools from Microsoft to discover who is doing 
what on your server:
  download from: 
http://www.microsoft.com/technet/sysinternals/default.mspx



One problem here is that if it's malicious code at work you're defending 
hosts when you should be defending your network(s).  Find out where the 
problem is coming from and shut it down at the firewall.


Thanks,
Josh Miller

Vic Brown wrote:

Hello List,


We're experiencing a serious problem on our networking with an exploit. 
 After running the Microsoft rootkit detector we found the following:


Key name contains embedded nulls (*),8/13/2001 12:06,0
bytes,HKLM\SECURITY\Policy\Secrets\SAC*
Key name contains embedded nulls (*),8/13/2001 12:06,0
bytes,HKLM\SECURITY\Policy\Secrets\SAI*
Key name contains embedded nulls (*),3/24/2005 11:56,0

bytes,HKLM\SECURITY\Policy\Secrets\XATM:148d93c5-f0a9-4110-8d38-f44f341e286d* 


Hidden from Windows API.,1/31/2007 15:25,13.00
KB,C:\WINNT\system32\pfplgflt.dll
Hidden from Windows API.,1/31/2007 16:32,7.50
KB,C:\WINNT\system32\pfplgnfo.dll
Hidden from Windows API.,1/31/2007 16:32,9.50
KB,C:\WINNT\system32\pfplgprx.dll
Hidden from Windows API.,1/31/2007 16:32,12.50
KB,C:\WINNT\system32\pfplgscn.dll

Did some research on the pfplgflt.dll files and found this:
http://vil.nai.com/vil/content/v_122073.htm


All of the files and registry settings listed on the McAfee site were 
found on the system, and also a strange a.exe file.  Found some general 
info about the a.exe file, but all of it was useless and did not relate 
at all to this exploit IMHO.  I guess it uses a.exe just because.  The 
boxes had the latest AV updates and engines, and also the latest OS 
updates (Windows 2000).  Even worst, after reinstalling one of the 
boxes, and updating to the latest everything once more, the box was 
infected once more.  I am know trying to find a way to end this email 
with a "professional" sounding question, but to be honest, I don't know 
how to proceed with this one.  Please help!


Thanks in advance.
Vic
                       --    _____________________
__/                     \
/ Vic Brown              |
| Comp Supp Spec         |
| FSU-Panama             |
| Phone: (507)-314-0367  |
| [EMAIL PROTECTED] |
\________________________/





----------------------------------------------------------------

























					Reply via email to