|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
RE: Blaster vs. Kaht2
Date: Wed Aug 13 2003 - 12:18:17 EDT
Not sure if this will help you. But one of the bigger clues to checking if
your box was r00ted is to search for servu.* ... Check if the Servu service
is running on your box . Also do a netstat -a and check for any arb IRC
connections.
" TCP "ME":1293 sokar.zanet.org.za:6667 ESTABLISHED "
...
But there are tons of other clues ... and ways.
Hope this helps
blue
-----Original Message-----
From: Amer Karim [mailto:amerk@telus.net]
Sent: Tuesday, August 12, 2003 11:45 PM
To: Focus on Microsoft Mailing List
Subject: FW: Blaster vs. Kaht2
Sorry - sent that to Marc off-list by mistake. Meant to post it to the list.
Regards,
Amer Karim
Nautilis Information Systems
e-mail: amerk@telus.net, mamerk@hotmail.com
-----Original Message-----
From: Amer Karim [mailto:amerk@telus.net]
Sent: 12 August 2003 14:39
To: 'Marc Fossi'
Subject: RE: Blaster vs. Kaht2
Out of curiosity, are there any symptomatic clues as to determining if the system has been compromised by Kaht2? I can't seem to find any info on the Symantec site.
Regards,
Amer Karim
Nautilis Information Systems
e-mail: amerk@telus.net, mamerk@hotmail.com
-----Original Message-----
From: Marc Fossi [mailto:mfossi@securityfocus.com]
Sent: 12 August 2003 10:49
To: Focus-MS
Subject: Blaster vs. Kaht2
I think that there seems to be a bit of confusion between Blaster (the worm) and Kaht2 (the exploit/autorooter). Some people may have been rooted by Kaht2 or one of the many other exploits available for the DCOM RPC vulnerability and are thinking they were hit by the worm.
As far as I know, the obvious signs of Blaster are a mutex named "BILLY", a file and process named "msblast.exe", and activity on ports 69(UDP) and 4444(TCP). Some of the exploits also use TCP 4444 for the remote shell (Blaster was based on one of these exploits), so this may be where some of the confusion lies.
Probably some people were rooted before yesterday, but checked their systems after hearing of the worm and assumed that they were hit by the worm, not one of the exploits.
Best policy if you were rooted - reformat and reinstall (with patches this time). Who knows what other surprises you might have waiting for you.
Cheers
Marc Fossi
Symantec Corp.
www.symantec.com
Your network firewall and IDS products do not prevent Web application attacks - the most common form of online exploitation- resulting in Web defacement, data theft, sabotage and fraud. KaVaDo is the only company that provides a complete suite of Web application security products.
Download a FREE whitepaper on "Security Policy Automation for Web Applications":http://www.securityfocus.com/Kavado-focus-ms
Your network firewall and IDS products do not prevent Web application attacks - the most common form of online exploitation- resulting in Web defacement, data theft, sabotage and fraud. KaVaDo is the only company that provides a complete suite of Web application security products.
Download a FREE whitepaper on "Security Policy Automation for Web Applications":http://www.securityfocus.com/Kavado-focus-ms
Your network firewall and IDS products do not prevent Web application attacks - the most common form of online exploitation- resulting in Web defacement, data theft, sabotage and fraud. KaVaDo is the only company that provides a complete suite of Web application security products.
Download a FREE whitepaper on "Security Policy Automation for Web Applications":http://www.securityfocus.com/Kavado-focus-ms
Received on Wed Aug 13 16:24:41 2003
This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:35 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |