RE: What the heck is this msblast.exe

Has anyone had any issues with patching a SQL box and the box blue screening upon reboot?

-----Original Message-----
From: Scott Mercer [mailto:SMercer@KUEndowment.org] Sent: Tuesday, August 12, 2003 7:06 AM
To: focus-ms@securityfocus.com
Subject: RE: What the heck is this msblast.exe

Along with the firedaemon you might find the Serv-U-FTP and TCP services running in your services applet. If you stop and disable those services, system performance should return to normal. At that point, I would save any critical data and then reformat that machine with the os and all critical updates. NAV will not detect these because these are more of a hack than virus activity. As Christopher says, this type of situation could be using any user account that has been compromised. I would suggest turning on logon/logoff auditing if you have not already, and then look in the event log for logons from workstations that are not part of your organization. If you find that an account is logging onto your network from a workstation that you don't recognize, disable the account or change the password.

-----Original Message-----
From: Christopher M [mailto:christopherm@btinternet.com] Sent: Tuesday, August 12, 2003 3:31 AM
To: Tim Mektrakarn; focus-ms@securityfocus.com Subject: RE: What the heck is this msblast.exe

The RPC exploit itself leaves the server open to any action at all. We have an open test machine which was hit with this and a hacker tried the exploit against all our IP addresses. When he found this machine I was able to watch as he installed a shadow copy of Serv-U FTP server software and configure anonymous accounts to use our machine as an mp3 file server before I booted him off. There's no need for any detectable viruses to be involved, as the hacker can install whatever legitimate(?) software he likes.

Bear in mind that the hacker could have installed software to record everything you do on the machine. He could be using any account for access. Treat every file and process on there, and all activity as suspicious until you've verified its authenticity. Your second instance of firedaemon sounds classic. What service is it running? Ideally, you'd take the machine offline and reformat, but I know this isn't always practical.

Regards,

Christopher Moss

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

|-----Original Message-----

|MS patch, nav scans and now everytime explorer.exe launches it crashes
-
|---
|
|
|
|-----------------------------------------------------------------------
-
|---
|
|
|-----------------------------------------------------------------------

---
Your network firewall and IDS products do not prevent Web application 
attacks - the most common form of online exploitation- resulting in Web 
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web 
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":
http://www.securityfocus.com/Kavado-focus-ms
------------------------------------------------------------------------
---

------------------------------------------------------------------------
---
Your network firewall and IDS products do not prevent Web application 
attacks - the most common form of online exploitation- resulting in Web 
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web 
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":
http://www.securityfocus.com/Kavado-focus-ms
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
Your network firewall and IDS products do not prevent Web application 
attacks - the most common form of online exploitation- resulting in Web 
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web 
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":
http://www.securityfocus.com/Kavado-focus-ms
---------------------------------------------------------------------------