Maybe have found the first rootkit/worm exploiting the dcom/rpc vuln

  • Thread starter Thread starter Jason
  • Start date Start date
J

Jason

-----Original Message-----
Here is what I've found so far:

Some sort of worm or root kit, has been found on one of the boxes in my
co-lo that was unpatched, so far I am not sure what the rootkit is actually
doing, i do know that my blackdiamond 6808 is reporting that the box is
nailed at 100% of 10megabits to the net and has been for about 12 hours.

Here is what i've found so far:

user named cache (hidden) in the administrator group added on 08/03/03
Cannot delete this user.
a file called dcomx.exe appears in c:\winnt\system32\ on 08/04/03
a file called juh.exe appeared in c:\ on 08/04/03

google has no information about said files

I assume JUH is the delivery mechanism, and then DCOMx is actually the
'daemon' fport shows dcomx.exe running as a process.
figured i'd give you guys a heads up.

Thanks,
Drew Weaver


.

Drew -

Did you start to encounter intermittent rpc service
failures on the effected machines? ( i have not found
those files on my machines; but my unpatched machines did
have 4 different rpc failures over 3 days ). win2k sp3 dc
box. ?
 
Jason said:
Drew -

Did you start to encounter intermittent rpc service
failures on the effected machines? ( i have not found
those files on my machines; but my unpatched machines did
have 4 different rpc failures over 3 days ). win2k sp3 dc
box. ?


Actually, Exchange kept dying going inaccessable on me, and I had to reboot
the Server many times over the weekend because of it. Come to think of it
this is probably why :-)

-Drew
 
Back
Top