Maybe have found the first rootkit/worm exploiting the dcom/rpc vuln

[Jason]

-----Original Message-----
Here is what I've found so far:

Some sort of worm or root kit, has been found on one of the boxes in my
co-lo that was unpatched, so far I am not sure what the rootkit is actually
doing, i do know that my blackdiamond 6808 is reporting that the box is
nailed at 100% of 10megabits to the net and has been for about 12 hours.

Here is what i've found so far:

user named cache (hidden) in the administrator group added on 08/03/03
Cannot delete this user.
a file called dcomx.exe appears in c:\winnt\system32\ on 08/04/03
a file called juh.exe appeared in c:\ on 08/04/03

google has no information about said files

I assume JUH is the delivery mechanism, and then DCOMx is actually the
'daemon' fport shows dcomx.exe running as a process.
figured i'd give you guys a heads up.

Thanks,
Drew Weaver


.

Drew -

Did you start to encounter intermittent rpc service
failures on the effected machines? ( i have not found
those files on my machines; but my unpatched machines did
have 4 different rpc failures over 3 days ). win2k sp3 dc
box. ?

 

[Andrew Weaver]

Drew -

Did you start to encounter intermittent rpc service
failures on the effected machines? ( i have not found
those files on my machines; but my unpatched machines did
have 4 different rpc failures over 3 days ). win2k sp3 dc
box. ?

Actually, Exchange kept dying going inaccessable on me, and I had to reboot
the Server many times over the weekend because of it. Come to think of it
this is probably why

-Drew

 

[Andrew Weaver]

BTW here is the zip file of the files.

http://www.soul-fu.com/drew.zip

-Drew