NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > FOCUS-MS> 2007-q1

Re: Help with Exploit

From: Josh Miller (joshuaitsecureadmin.com)
Date: Fri Feb 02 2007 - 15:18:43 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

There are a couple of methods you could employ to determine whether or
not this is a problem:

1. Monitor the network using tcpdump, ethereal or other monitoring tool
and shut down all non-necessary services on this host. If you see
suspicious traffic, this might indicate who or where it is going to so
you can validate it and/or the contents.

2. Use the sysinternals tools from Microsoft to discover who is doing
what on your server:
download from:
http://www.microsoft.com/technet/sysinternals/default.mspx

One problem here is that if it's malicious code at work you're defending
hosts when you should be defending your network(s). Find out where the
problem is coming from and shut it down at the firewall.

Thanks,
Josh Miller

Vic Brown wrote:
> Hello List,
>
> We're experiencing a serious problem on our networking with an exploit.
> After running the Microsoft rootkit detector we found the following:
>
> Key name contains embedded nulls (*),8/13/2001 12:06,0
> bytes,HKLM\SECURITY\Policy\Secrets\SAC*
> Key name contains embedded nulls (*),8/13/2001 12:06,0
> bytes,HKLM\SECURITY\Policy\Secrets\SAI*
> Key name contains embedded nulls (*),3/24/2005 11:56,0
> bytes,HKLM\SECURITY\Policy\Secrets\XATM:148d93c5-f0a9-4110-8d38-f44f341e286d*
>
> Hidden from Windows API.,1/31/2007 15:25,13.00
> KB,C:\WINNT\system32\pfplgflt.dll
> Hidden from Windows API.,1/31/2007 16:32,7.50
> KB,C:\WINNT\system32\pfplgnfo.dll
> Hidden from Windows API.,1/31/2007 16:32,9.50
> KB,C:\WINNT\system32\pfplgprx.dll
> Hidden from Windows API.,1/31/2007 16:32,12.50
> KB,C:\WINNT\system32\pfplgscn.dll
>
> Did some research on the pfplgflt.dll files and found this:
> http://vil.nai.com/vil/content/v_122073.htm
>
> All of the files and registry settings listed on the McAfee site were
> found on the system, and also a strange a.exe file. Found some general
> info about the a.exe file, but all of it was useless and did not relate
> at all to this exploit IMHO. I guess it uses a.exe just because. The
> boxes had the latest AV updates and engines, and also the latest OS
> updates (Windows 2000). Even worst, after reinstalling one of the
> boxes, and updating to the latest everything once more, the box was
> infected once more. I am know trying to find a way to end this email
> with a "professional" sounding question, but to be honest, I don't know
> how to proceed with this one. Please help!
>
> Thanks in advance.
> Vic
> -- _____________________
> __/ \
> / Vic Brown |
> | Comp Supp Spec |
> | FSU-Panama |
> | Phone: (507)-314-0367 |
> | vabrownmailer.fsu.edu |
> \________________________/
>
>
>
>
>
> ----------------------------------------------------------------
>
>
>

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]