Hosting Provided By

Re: MSBlast and other known exploits..

From: Phil Roginski <phil(at)bentleycomputersystems.com>
Date: Wed Aug 13 2003 - 20:39:02 EDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We had some machines today with the same symptoms. We found out that they also have spybot worm on them. Once we got rid of that and msblaster everything is fine.

Phil

----- Original Message ----- From: "John Ives" <jives@cchem.berkeley.edu> To: "Micheal Patterson" <micheal@cancercare.net>; <incidents@securityfocus.com> Sent: Wednesday, August 13, 2003 10:27 AM Subject: Re: MSBlast and other known exploits..

> The khat2 download has a binary infector, source code and a file called
The
> best way to learn about hxdef to download the zip file
hasn't
> been restarted. Unfortunately the best way to discover hxdef on a system
do
> >have msblast. Also, these systems all have what appears to be a corrupted
> >control panel applet. The normal control panel shows up in a left hand
frame
> >and the contents of add/remove programs is missing. Also, various popup
> >windows simply will not open. I've read that there was a known root kit
> >that utilized the same dcom exploit called khat2 (spelling) but I'm not
> >having much luck in locating the symptoms of systems that have been
rooted
> >in this manner. Any information would be appreciated. I will be
recommending
> >that these systems be blown away and reinstalled from clean media, I'm
just
> >looking for some info to verify what's eaten away at these things.
> >
> >Thank you.
> >
> >--
> >
> >Micheal Patterson
> >Network Administration
> >Cancer Care Network
> >405-733-2230
> >
> >
> >
>
>---------------------------------------------------------------------------
>
>---------------------------------------------------------------------------
-
>
> -------------------------------------------------
hacked.
> What's more, you deserve to be hacked." - Richard Clarke
-
> --------------------------------------------------------------------------

--

>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPzraI2EotYGToENLEQJSnQCg8D0se/q7n4jei+fuD0TPYkeL9IsAoKx3
gXRgrCIW0VuJTULb9cvnX2RR
=z1av
-----END PGP SIGNATURE-----


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Received on Wed Aug 13 22:38:32 2003

This message: [ Message body ]
Next message: Steffen Kluge: "Re: rpc dcom worm and windowsupdate"
Previous message: Dan Hanson: "MS03-026 Update Problems? (fwd)"
In reply to John Ives: "Re: MSBlast and other known exploits.."
Next in thread: lathiat(at)bur.st: "Re: MSBlast and other known exploits.."
Reply: lathiat(at)bur.st: "Re: MSBlast and other known exploits.."

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:16 EDT