Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Help with Exploit

from [Vic Brown] Network Security [Permanent Link]
Subject: Help with Exploit
Date: Fri, 02 Feb 2007 14:25:24 -0500 
Hello List,

We're experiencing a serious problem on our networking with an exploit. After running the Microsoft rootkit detector we found the following:

Key name contains embedded nulls (*),8/13/2001 12:06,0
bytes,HKLM\SECURITY\Policy\Secrets\SAC*
Key name contains embedded nulls (*),8/13/2001 12:06,0
bytes,HKLM\SECURITY\Policy\Secrets\SAI*
Key name contains embedded nulls (*),3/24/2005 11:56,0
bytes,HKLM\SECURITY\Policy\Secrets\XATM:148d93c5-f0a9-4110-8d38-f44f341e286d*
Hidden from Windows API.,1/31/2007 15:25,13.00
KB,C:\WINNT\system32\pfplgflt.dll
Hidden from Windows API.,1/31/2007 16:32,7.50
KB,C:\WINNT\system32\pfplgnfo.dll
Hidden from Windows API.,1/31/2007 16:32,9.50
KB,C:\WINNT\system32\pfplgprx.dll
Hidden from Windows API.,1/31/2007 16:32,12.50
KB,C:\WINNT\system32\pfplgscn.dll

Did some research on the pfplgflt.dll files and found this:
http://vil.nai.com/vil/content/v_122073.htm

All of the files and registry settings listed on the McAfee site were found on the system, and also a strange a.exe file. Found some general info about the a.exe file, but all of it was useless and did not relate at all to this exploit IMHO. I guess it uses a.exe just because. The boxes had the latest AV updates and engines, and also the latest OS updates (Windows 2000). Even worst, after reinstalling one of the boxes, and updating to the latest everything once more, the box was infected once more. I am know trying to find a way to end this email with a "professional" sounding question, but to be honest, I don't know how to proceed with this one. Please help!

Thanks in advance.
Vic
                       --    _____________________
__/                     \
/ Vic Brown              |
| Comp Supp Spec         |
| FSU-Panama             |
| Phone: (507)-314-0367  |
| vabrown@mailer.fsu.edu |
\________________________/





----------------------------------------------------------------


[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Next by Date:  Re: Help with Exploit, Josh Miller
Next by Thread:  Re: Help with Exploit, Josh Miller
Indexes:  [Date] [Thread] [Top] [All Lists]