Plateforme Level Extreme
Abonnement
Profil corporatif
Produits & Services
Support
Légal
English
SVCHOST exploit Trojan
Message
De
27/04/2004 18:37:00
Michael Levy
Cincinnati, Ohio, États-Unis
 
 
À
27/04/2004 17:26:52
Nancy Folsom
Pixel Dust Industries
Washington, États-Unis
Information générale
Forum:
ASP.NET
Catégorie:
Securité
Titre:
Re: SVCHOST exploit Trojan
Divers
Thread ID:
00898389
Message ID:
00898757
Vues:
16
It seems to be very popular lately:

http://www.webservertalk.com/showthread.php?s=b0ba66acd338c90e1de2842f3189d203&threadid=171959&perpage=10&pagenumber=1

-Mike

>Hi, Tracy-
>>
>>Have you seen this?
>>
>>http://seclists.org/lists/fulldisclosure/2003/Oct/1769.html
>
>No, I hadn't seen that. I eventually followed the breadcrumbs to
>
>http://domain444037.sites.fasthosts.com/OWASP/aspx/
>
>And downloaded the ANSA .NET security analyzer. I'll let the network consultant review the findings with me.
>
>>and this:
>>
>>http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbda/html/authaspdotnet.asp
>
>Oh, sure. I've tried to digest the 80 million security related docs and confess I'm sure I've done so imperfectly. I think there are server specific configuration issues though, and so was hoping for some specific ideas.
>
>>there was also the IBIZA trojan that exploited a vulnerability in IE that used port 10002 to install malicious code and propagate. It uses port 10002 to listen for commands from its creator. You might check into closing that port on the firewall or only allowing outbound traffic.
>
>IBIZA hadn't come up in my searches for SVCHOST exploits. My client doesn't have port 10002 open, IIRC. But I'll double check.
>
>I'm posting this followup info in case it helps anyone else.
>
>The infection source, FWIW, is an illegitimate copy of SVCHOST.EXE in C:\WINNT. The file is grossly oversized and a recent modified date. There are also suspicious files in a directory
>c:\winnt\system32\wbem\mof\bad\usr32\web\backup. Two EXEs (Backup and Stuff) and a SVCHOST.XXX that are dated the time of the most recent hack (this morning).
>
>Unfortunately the network consultant didn't think to check or save the server and ISA logs from last week's hack so there is some missing info.
>
>I also don't know if deleting the files in the directory will be enough to clean out the infection.
>
>We noticed that the supposed automatic Symantec update hadn't fired since the first hack. We had new OS patches between updates done at 7:30 and at 10 am. So, patch, patch, patch!
>
>After we rebooted, the proxy server hadn't restarted, but we were able to restart.
>
>I have copies of the suspect files and will try to forward them to the virus folks. I'm calling this "Hello dear FxPer!" since that text gets displayed on the webpage when it's hacked.
>
>I hope this helps someone else. And, thanks to you and Alex for your suggestions.
Michael Levy
MCSD, MCDBA
ma_levy@hotmail.com
Précédent
Suivant
Répondre
Fil
Voir

Click here to load this message in the networking platform