Hi, Tracy-
>
>Have you seen this?
>
>
http://seclists.org/lists/fulldisclosure/2003/Oct/1769.htmlNo, I hadn't seen that. I eventually followed the breadcrumbs to
http://domain444037.sites.fasthosts.com/OWASP/aspx/And downloaded the ANSA .NET security analyzer. I'll let the network consultant review the findings with me.
>and this:
>
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbda/html/authaspdotnet.aspOh, sure. I've tried to digest the 80 million security related docs and confess I'm sure I've done so imperfectly. I think there are server specific configuration issues though, and so was hoping for some specific ideas.
>there was also the IBIZA trojan that exploited a vulnerability in IE that used port 10002 to install malicious code and propagate. It uses port 10002 to listen for commands from its creator. You might check into closing that port on the firewall or only allowing outbound traffic.
IBIZA hadn't come up in my searches for SVCHOST exploits. My client doesn't have port 10002 open, IIRC. But I'll double check.
I'm posting this followup info in case it helps anyone else.
The infection source, FWIW, is an illegitimate copy of SVCHOST.EXE in C:\WINNT. The file is grossly oversized and a recent modified date. There are also suspicious files in a directory
c:\winnt\system32\wbem\mof\bad\usr32\web\backup. Two EXEs (Backup and Stuff) and a SVCHOST.XXX that are dated the time of the most recent hack (this morning).
Unfortunately the network consultant didn't think to check or save the server and ISA logs from last week's hack so there is some missing info.
I also don't know if deleting the files in the directory will be enough to clean out the infection.
We noticed that the supposed automatic Symantec update hadn't fired since the first hack. We had new OS patches between updates done at 7:30 and at 10 am. So, patch, patch, patch!
After we rebooted, the proxy server hadn't restarted, but we were able to restart.
I have copies of the suspect files and will try to forward them to the virus folks. I'm calling this "Hello dear FxPer!" since that text gets displayed on the webpage when it's hacked.
I hope this helps someone else. And, thanks to you and Alex for your suggestions.
