Even more backdoors

From: Forrest Smalley (smalley_at_haas.berkeley.edu)
Date: Tue Aug 05 2003 - 17:16:29 PDT

• Next message: Aron Roberts: "Re: Flurry of "by way of ..." messages sent to the Micronet list today"
• Previous message: Bruce Satow: "Re: To block or not to block"

There are literally hundreds if not thousands of backdoors that could have
been installed through the exploit, but Haas has found 4 specific ones
which will probably show up around campus. I would guess that all of 128.32
got attacked so if you want to check for these things scan your subnets for
these ports. See my previous emails for more info

113 WindowsLogonVrs Service
6667 directx process running
1257 N0rton Service
8486 Remote Administrator Service

>Two new ports have shown up as infections 113, 8486. Many machines
>probably have been infected with mulitple backdoors. If they were open to
>one...they were open to all.
>
>Machines will need to be reinstalled, but to clean them in the mean time...
>
>For those with 113 look for (a service called WindowsLogonVrs will appear
>in services)
>c:\windows(winnt)\speech\speech This is a bogus folder that will contain
>multiple files, all will need to be deleted.
>Before you can delete them, you will probably have to delete the reg
>entries and then reboot...and then delete files
>Del reg keys
>HKLM\System\CurrentControlSet\Services\EventLog\Application\WindowsLogonVrs
>and
>HKLM\System\CurrentControlSet\Services\WindowsLogonVrs
>
>
>For machines with 8486( a service called Remote Administrator Service will
>appear in services)
>Del reg key
>HKLM\system\currentcontrolset\services\r_server
>reboot
>and then delete
>c:\windows(winnt)\msapps\msapps there will numerous files in this
>dir...they are bogus.
>
>________________________________________________
>Forrest Smalley Haas Computing Center
>Database Administrator 545 Student Services Bldg. #1900
>Room S300M Berkeley, CA 94720
>(510) 643-0428 Fax (510) 642-4769

________________________________________________
Forrest Smalley Haas Computing Center
Database Administrator 545 Student Services Bldg. #1900
Room S300M Berkeley, CA 94720
(510) 643-0428 Fax (510) 642-4769

------------------------------------------------------------------------
The following was automatically added to this message by the list server:

For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.

• Next message: Aron Roberts: "Re: Flurry of "by way of ..." messages sent to the Micronet list today"
• Previous message: Bruce Satow: "Re: To block or not to block"

This archive was generated by hypermail 2.1.5 : Tue Aug 05 2003 - 17:25:48 PDT