[unisog] Unintended update
jeff01 at email.unc.edu
Mon Aug 4 19:50:48 GMT 2003
-----BEGIN PGP SIGNED MESSAGE-----
Andy Efting wrote:
| Anyone else seen this:
| I have 2 servers that ran what seems to be a windows update file but I
am not sure how the update was run. The servers are not set to
automatically run updates yet the updates ran yesterday at about 11:30
am. The log says the System ran the update. When I manually run updates
it says the Administrator ran the update.
| It says it ran windows update KB823980. This is the update for the
recent 'buffer overrun in RPC 'exploit found in windows. I compared the
changes this update seemed to make with the changes of a computer I
updated myself. The registry & file changes seem to be the same. Unlike
regular Windows Updates there was a file and a folder on the C: drive
called update. When update file is run it unpacks file to the update
folder. The update folder seems to contain the windows update KB823980.
| The update will not uninstall like it should. Also, the McAfee
antivirus service wouldn't load. I uninstalled McAfee and installed
Symantec AV. No viruses were found. Also, I ran a DCOM scanner & it says
these computers are patched.
| Yet, it still seems suspicious. Like someone hacked these computers.
| By the way, these servers should have received the KB823980 update a
couple of weeks ago when my other servers got it.
| Andrew P. Efting
| Security Analyst
| Emory University
| E-Mail: aefting at emory.edu
| Phone: 404-712-2213
| Fax: 404-727-0817
Yes! We saw the same thing yesterday morning where a host spontaneouly
"re-applied" the 823980 patch. There were some issues following that
unscheduled automatic update (i.e. Symantec Anti-Virus service failed
and had to be reloaded). The even logs appeared to indicate that an
update had been made with System level privileges.
We have seen some other systems, though I cannot verify the correlation
between the fake Windows Update and this particular compromise, but
someone apparently launched rpcsrv.exe out of WINNT\System32 which
apparently opens a remote xterm.
Jeff Bollinger, CISSP
University of North Carolina
IT Security Analyst
105 Abernethy Hall
mailto: jeff @unc dot edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the unisog