J
Jason
-----Original Message-----
Here is what I've found so far:
Some sort of worm or root kit, has been found on one of the boxes in my
co-lo that was unpatched, so far I am not sure what the rootkit is actually
doing, i do know that my blackdiamond 6808 is reporting that the box is
nailed at 100% of 10megabits to the net and has been for about 12 hours.
Here is what i've found so far:
user named cache (hidden) in the administrator group added on 08/03/03
Cannot delete this user.
a file called dcomx.exe appears in c:\winnt\system32\ on 08/04/03
a file called juh.exe appeared in c:\ on 08/04/03
google has no information about said files
I assume JUH is the delivery mechanism, and then DCOMx is actually the
'daemon' fport shows dcomx.exe running as a process.
figured i'd give you guys a heads up.
Thanks,
Drew Weaver
.
Drew -
Did you start to encounter intermittent rpc service
failures on the effected machines? ( i have not found
those files on my machines; but my unpatched machines did
have 4 different rpc failures over 3 days ). win2k sp3 dc
box. ?