Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Help with Exploit

from [Josh Miller] Network Security [Permanent Link]
Subject: Re: Help with Exploit
Date: Fri, 02 Feb 2007 13:18:43 -0800
There are a couple of methods you could employ to determine whether or not this is a problem:

1. Monitor the network using tcpdump, ethereal or other monitoring tool and shut down all non-necessary services on this host. If you see suspicious traffic, this might indicate who or where it is going to so you can validate it and/or the contents.

2. Use the sysinternals tools from Microsoft to discover who is doing what on your server:
download from: http://www.microsoft.com/technet/sysinternals/default.mspx

One problem here is that if it's malicious code at work you're defending hosts when you should be defending your network(s). Find out where the problem is coming from and shut it down at the firewall.

Thanks,
Josh Miller

Vic Brown wrote: 
Hello List,

We're experiencing a serious problem on our networking with an exploit. After running the Microsoft rootkit detector we found the following:

Key name contains embedded nulls (*),8/13/2001 12:06,0
bytes,HKLM\SECURITY\Policy\Secrets\SAC*
Key name contains embedded nulls (*),8/13/2001 12:06,0
bytes,HKLM\SECURITY\Policy\Secrets\SAI*
Key name contains embedded nulls (*),3/24/2005 11:56,0
bytes,HKLM\SECURITY\Policy\Secrets\XATM:148d93c5-f0a9-4110-8d38-f44f341e286d* 

Hidden from Windows API.,1/31/2007 15:25,13.00
KB,C:\WINNT\system32\pfplgflt.dll
Hidden from Windows API.,1/31/2007 16:32,7.50
KB,C:\WINNT\system32\pfplgnfo.dll
Hidden from Windows API.,1/31/2007 16:32,9.50
KB,C:\WINNT\system32\pfplgprx.dll
Hidden from Windows API.,1/31/2007 16:32,12.50
KB,C:\WINNT\system32\pfplgscn.dll

Did some research on the pfplgflt.dll files and found this:
http://vil.nai.com/vil/content/v_122073.htm

All of the files and registry settings listed on the McAfee site were found on the system, and also a strange a.exe file. Found some general info about the a.exe file, but all of it was useless and did not relate at all to this exploit IMHO. I guess it uses a.exe just because. The boxes had the latest AV updates and engines, and also the latest OS updates (Windows 2000). Even worst, after reinstalling one of the boxes, and updating to the latest everything once more, the box was infected once more. I am know trying to find a way to end this email with a "professional" sounding question, but to be honest, I don't know how to proceed with this one. Please help!

Thanks in advance.
Vic
                       --    _____________________
__/                     \
/ Vic Brown              |
| Comp Supp Spec         |
| FSU-Panama             |
| Phone: (507)-314-0367  |
| vabrown@mailer.fsu.edu |
\________________________/





----------------------------------------------------------------




[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Help with Exploit, Vic Brown
Next by Date:  RE: Share and NTFS permissions, David LeBlanc
Previous by Thread:  Help with Exploit, Vic Brown
Next by Thread:  RE: Help with Exploit, Murda Mcloud
Indexes:  [Date] [Thread] [Top] [All Lists]