[unisog] Unintended update

Anderson, Kelly kjanders at umich.edu
Mon Aug 4 19:49:21 GMT 2003

Hi Andy - 

What we've heard from our Virus folks here at U-Mich is that hackers get
control and then apply the patch so that another hacker team can't get
it and so that legitimate admin scans look like the machine is OK.  I'd
do some serious forensics if I were you.  :(  

I was told that you can scan using Foundstone's free Scanline tool (
http://www.foundstone.com/resources/proddesc/scanline.htm) to see if any
rogue FTP servers (or other nasty's) have set up housekeeping.  


Kelly J. Anderson, MCSE            
Windows 2000 Infrastructure   
University of Michigan             

-----Original Message-----
From: Andy Efting [mailto:aefting at emory.edu] 
Sent: Monday, August 04, 2003 2:19 PM
To: unisog at sans.org
Subject: [unisog] Unintended update

Anyone else seen this:

I have 2 servers that ran what seems to be a windows update file but I
am not sure how the update was run. The servers are not set to
automatically run updates yet the updates ran yesterday at about 11:30
am. The log says the System ran the update. When I manually run updates
it says the Administrator ran the update.

It says it ran windows update KB823980. This is the update for the
recent 'buffer overrun in RPC 'exploit found in windows. I compared the
changes this update seemed to make with the changes of a computer I
updated myself. The registry & file changes seem to be the same. Unlike
regular Windows Updates there was a file and a folder on the C: drive
called update. When update file is run it unpacks file to the update
folder. The update folder seems to contain the windows update KB823980.

The update will not uninstall like it should. Also, the McAfee antivirus
service wouldn't load. I uninstalled McAfee and installed Symantec AV.
No viruses were found. Also, I ran a DCOM scanner & it says these
computers are patched.

Yet, it still seems suspicious. Like someone hacked these computers.

By the way, these servers should have received the KB823980 update a
couple of weeks ago when my other servers got it.

Andrew P. Efting
Security Analyst
Emory University
E-Mail: aefting at emory.edu
Phone: 404-712-2213
Fax: 404-727-0817

More information about the unisog mailing list