[unisog] Unintended update

Andy Efting aefting at emory.edu
Tue Aug 5 01:34:05 GMT 2003


Here's a quick update. We have indeed been hacked. I'll provide more
information in the morning but we've seen the backdoor listening on port
33571.  FYI.

Andy

______________________
Andrew P. Efting
Security Analyst
Emory University
E-Mail: aefting at emory.edu
Phone: 404-712-2213
Fax: 404-727-0817


----- Original Message ----- 
From: "Andy Efting" <aefting at emory.edu>
To: <unisog at sans.org>
Sent: Monday, August 04, 2003 2:19 PM
Subject: [unisog] Unintended update


Anyone else seen this:

I have 2 servers that ran what seems to be a windows update file but I am
not sure how the update was run. The servers are not set to automatically
run updates yet the updates ran yesterday at about 11:30 am. The log says
the System ran the update. When I manually run updates it says the
Administrator ran the update.

It says it ran windows update KB823980. This is the update for the recent
'buffer overrun in RPC 'exploit found in windows. I compared the changes
this update seemed to make with the changes of a computer I updated myself.
The registry & file changes seem to be the same. Unlike regular Windows
Updates there was a file and a folder on the C: drive called update. When
update file is run it unpacks file to the update folder. The update folder
seems to contain the windows update KB823980.

The update will not uninstall like it should. Also, the McAfee antivirus
service wouldn't load. I uninstalled McAfee and installed Symantec AV. No
viruses were found. Also, I ran a DCOM scanner & it says these computers are
patched.

Yet, it still seems suspicious. Like someone hacked these computers.

By the way, these servers should have received the KB823980 update a couple
of weeks ago when my other servers got it.


______________________
Andrew P. Efting
Security Analyst
Emory University
E-Mail: aefting at emory.edu
Phone: 404-712-2213
Fax: 404-727-0817



More information about the unisog mailing list