Unintended update

Andy Efting aefting at emory.edu
Mon Aug 4 18:19:05 GMT 2003

Anyone else seen this:

I have 2 servers that ran what seems to be a windows update file but I am not sure how the update was run. The servers are not set to automatically run updates yet the updates ran yesterday at about 11:30 am. The log says the System ran the update. When I manually run updates it says the Administrator ran the update.

It says it ran windows update KB823980. This is the update for the recent 'buffer overrun in RPC 'exploit found in windows. I compared the changes this update seemed to make with the changes of a computer I updated myself. The registry & file changes seem to be the same. Unlike regular Windows Updates there was a file and a folder on the C: drive called update. When update file is run it unpacks file to the update folder. The update folder seems to contain the windows update KB823980.

The update will not uninstall like it should. Also, the McAfee antivirus service wouldn't load. I uninstalled McAfee and installed Symantec AV. No viruses were found. Also, I ran a DCOM scanner & it says these computers are patched.

Yet, it still seems suspicious. Like someone hacked these computers.

By the way, these servers should have received the KB823980 update a couple of weeks ago when my other servers got it.

Andrew P. Efting
Security Analyst
Emory University
E-Mail: aefting at emory.edu
Phone: 404-712-2213
Fax: 404-727-0817

More information about the unisog mailing list