[unisog] Unintended update

Dave Ellingsberg dave.ellingsberg at csu.mnscu.edu
Tue Aug 5 14:11:54 GMT 2003


the port number is different so I am assuming it is configurable or
possibly...

possible explanation is 
http://www.theregister.co.uk/content/56/32152.html 
more info
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?lst=vis&idvirus=40336

bigfoot

>>> "Andy Efting" <aefting at emory.edu> 8/4/2003 8:34:05 PM >>>
Here's a quick update. We have indeed been hacked. I'll provide more
information in the morning but we've seen the backdoor listening on
port
33571.  FYI.

Andy

______________________
Andrew P. Efting
Security Analyst
Emory University
E-Mail: aefting at emory.edu 
Phone: 404-712-2213
Fax: 404-727-0817


----- Original Message ----- 
From: "Andy Efting" <aefting at emory.edu>
To: <unisog at sans.org>
Sent: Monday, August 04, 2003 2:19 PM
Subject: [unisog] Unintended update


Anyone else seen this:

I have 2 servers that ran what seems to be a windows update file but I
am
not sure how the update was run. The servers are not set to
automatically
run updates yet the updates ran yesterday at about 11:30 am. The log
says
the System ran the update. When I manually run updates it says the
Administrator ran the update.

It says it ran windows update KB823980. This is the update for the
recent
'buffer overrun in RPC 'exploit found in windows. I compared the
changes
this update seemed to make with the changes of a computer I updated
myself.
The registry & file changes seem to be the same. Unlike regular
Windows
Updates there was a file and a folder on the C: drive called update.
When
update file is run it unpacks file to the update folder. The update
folder
seems to contain the windows update KB823980.

The update will not uninstall like it should. Also, the McAfee
antivirus
service wouldn't load. I uninstalled McAfee and installed Symantec AV.
No
viruses were found. Also, I ran a DCOM scanner & it says these
computers are
patched.

Yet, it still seems suspicious. Like someone hacked these computers.

By the way, these servers should have received the KB823980 update a
couple
of weeks ago when my other servers got it.


______________________
Andrew P. Efting
Security Analyst
Emory University
E-Mail: aefting at emory.edu 
Phone: 404-712-2213
Fax: 404-727-0817



More information about the unisog mailing list