KB835732 uploaded and installed through KB835732 flaw

[Guest]

On 4/25/2004, several Windows 2000 servers that we thought had patched with the KB835732 patch back on April 15th or so were remotely accessed.

Files that look like they can start an FTP server were uploaded to c:\winnt\system32\spool\printers and c:\winnnt\certsrv\certcontrol\x86. The Windows2000-KB835732-x86-ENU.EXE file was uploaded to the c:\winnt directory shortly after the files were uploaded to the c:\winnnt\certsrv\certcontrol\x86 directory

Based on event logs, it looks like the SYSTEM user installed the KB835732 patch on our servers. The servers were not rebooted. One server seemed to be missing the last 10 days or so of the SYSTEM log, and the LSASS service crashed on that server within a few hours of the server being remotely accessed

The Windows2000-KB835732-x86-ENU.EXE file was digitally signed by Microsoft. We uninstalled it anyway, rebooted, patched with all critical updates, and deleted uploaded files

I don't know what this was. I'm posting here to see if anyone else has had anything similiar occur

 

[Guest]

Are you sure that this wasn't the Automated Update Service
or a SUS / WUS server? Not very many crackers / malicious
hackers will log in as the System account and patch your
servers for you....

-----Original Message-----
On 4/25/2004, several Windows 2000 servers that we

thought had patched with the KB835732 patch back on April
15th or so were remotely accessed.

Files that look like they can start an FTP server were

uploaded to c:\winnt\system32\spool\printers and
c:\winnnt\certsrv\certcontrol\x86. The Windows2000-
KB835732-x86-ENU.EXE file was uploaded to the c:\winnt
directory shortly after the files were uploaded to the
c:\winnnt\certsrv\certcontrol\x86 directory.

Based on event logs, it looks like the SYSTEM user

installed the KB835732 patch on our servers. The servers
were not rebooted. One server seemed to be missing the
last 10 days or so of the SYSTEM log, and the LSASS
service crashed on that server within a few hours of the
server being remotely accessed.

The Windows2000-KB835732-x86-ENU.EXE file was digitally

signed by Microsoft. We uninstalled it anyway, rebooted,
patched with all critical updates, and deleted uploaded
files.

I don't know what this was. I'm posting here to see if

anyone else has had anything similiar occur.

 

[Guest]

Certain it was not an automated service. It installed the Serv-U FTP server to push the files to my server

I've virus checked the server, and checked all recently modified/created files against files on a server that were not effected and not found anything abnormal

Unless I can prove otherwise, I currently am considering it that I was the victim of a well meaning drive by patcher.

 

[Lisa_at_work]

Brian,

I have not seen but I have heard of some hackers who will:

1. Find a vulnerable machine and exploit it, and load up
whatever backdoor tools they need to maintain control of
this server.

2. Install the patch for the vulnerability originally
found in step 1, so that other hackers won't try to "tag"
this new "zombie box", and so that Administrators will
think that this box is already patched against the
vulnerability.

3. Remove / edit / corrupt the logs & Event Viewer to hide
their tracks.

4. Use this seemingly patched server as a "Spam-bot"
or "Porno-warehouse" server.

Depending upon your enviroment I would try to convince the
necessary people to allow a complete rebuild of this
server for safety and security.

Hope this helps,

Lisa (Elizabeth Cornwell ~ Yale Graduate School of Arts
and Sciences)

-----Original Message-----
Certain it was not an automated service. It installed

the Serv-U FTP server to push the files to my server.

I've virus checked the server, and checked all recently

modified/created files against files on a server that were
not effected and not found anything abnormal.

Unless I can prove otherwise, I currently am considering

it that I was the victim of a well meaning drive by
patcher.