Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Windows 2000 Hotfix KB823980 installed without permission

6 views
Skip to first unread message

jim

unread,
Jul 31, 2003, 1:18:32 PM7/31/03
to
On July 31 at 3:40 am, this hotfix was installed on several of our systems.
It rebooted our machines causing major problems. The interesting part, is
that the Automatic Update Service was disabled on all of our systems. Has
anyone had any experience with hotfixes being installed without permission?

Thanks
Jim


Rodney Dyer

unread,
Aug 5, 2003, 9:40:01 AM8/5/03
to
Jim,

Yes! Yes! Yes! Our Windows 2000 active directory
servers are setup so that they don't automatically
download and install patches. Yet, as of yesterday Aug
4th, we have found that all of them downloaded and
installed the KB823980 patch automatically. This
coincided with RPC failure and multiple reboots on all of
our active directory XP clients.

It really looks like the machines were compromised by a
worm that installed the 823980 patch to close the hole
behind itself. The servers only rebooted once, the
clients multiple times. We have good forensic evidence
for thinking that the XP clients are fine, except for a
few reboots. It looks like the worm may have failed on
the clients due to extensive complexity in the DCOM
interface. We have reports of the port 33571 is in
listening mode on the servers, but we have not verified
this yet.

A worm is the most likely senario. We had very good
intentions to install the patch ourselves earlier, but
were risking the time because we were very close to a
scheduled maintenance update. We thought we could take
the risk because we have port 135 firewalled off. It
really looks like this worm came from inside the
firewall, but we have no packet data to confirm.

Other than this, our network is still functioning 100
percent. We have not been downgraded in functionality.
We don't know the extent to which the server has been
compromised. It just looks like a patch has been
installed, and maybe a port is being listened on. We
will be performing MD5 checksums of all the server files
to find out what changed.

Get the word out...

Rodney

Rodney M. Dyer
Windows Systems Programmer
Mosaic Computing Group
William States Lee College of Engineering
University of North Carolina at Charlotte
Email: rmd...@uncc.edu
Web: http://www.coe.uncc.edu/~rmdyer
Phone (704)687-3518
Help Desk Line (704)687-3150
FAX (704)687-2352
Office 267 Smith Building

D Small

unread,
Aug 5, 2003, 11:31:01 AM8/5/03
to
I have another weird one. Sneaked in (during windows update) and Uninstalled?
I'm a standalone user. I had no notice for this on the page and so could not
have asked for it.

On July 4 2003 I installed the 818529 IE Cum patch.
On July 25 when downloading newest updates and reviewing the install logs, I
found this:
Notepad

IEPatchUninstall.BAK dated 7/25/2003 8:25 pm

Command Line C:\WINNT\ieuninst.exe C:\WINNT\INF\Q818529.inf

Inf File C:\WINNT\INF\Q818529.inf

Qfe number is Q818529

I'm using the .BAK file because I have opened the regular .log file a couple of
times.

My IE still shows this: SP!; Q818529; 330994

My default page for windows update is
http://v4.windowsupdate.microsoft.com/en/default.asp

Is there a big hole here somewhere during windows update?
................................................

"Rodney Dyer" <rmd...@uncc.edu> wrote in message
news:0d6501c35b57$11cc4d30$a101...@phx.gbl...

Rodney Dyer

unread,
Aug 6, 2003, 12:08:06 PM8/6/03
to
Yes, your machine has been hacked. Here's the solution so
far...

This information is provided as-is, etc, etc...
This may not be exact across the board, but is what we
have found.

There are several signs that will indicate the presence of
the RPC
exploit on a system that has not done a manual
installation of the RPC
exploit patch (KB823980).


All machines we have found to be exploited are running
Windows 2000 & 2003
Server.


In the root directory of the hacked server you will find
the actual
extracted files from the Microsoft patch (any MS patch
will not leave
the files sitting in the root). These files include:
empty.cat
ole32.dll
rpcrt4.dll
rpcss.dll
spmsg.dll
spuninst.exe
update.exe (self-extracting archive)


There will also be an <drive>:\update directory from which
the installer
is called and it will contain the following files:
eula.txt
kb823980.cat
spcustom.dll
update.exe
update.inf
update.ver


There is also some further proof that the server has been
hacked. In
the SYSTEM event log the following entry was found:


Event Type: Information
Event Source: NtServicePack
Event Category: None
Event ID: 4377
Date: 08/03/2003
Time: 11:18:02 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVERNAME
Description:
Windows 2000 Hotfix KB823980 was installed.


This entry in the log is usually followed by a server
restart which will
complete the hack.


Once the server has restarted it will no longer appear to
be vulnerable
to the RPC exploit on the common ports (135,139,445, and
593) and this
was confirmed by scanning with several of the DCOM
utilities available
but it will now have a new port that is available for use
by the hacker
(port 33571). This port will only be found by issuing a
NETSTAT -A
command from the command prompt and it will reveal that
the server is
"listening" on this port. This port is only "listening"
on the servers
that were hacked.


The exploited server will also have two files HIDDEN on
the
<drive>:\WINNT\system32 directory. The files are
CSRSRV.EXE and
CSRSU.EXE. These files ARE NOT VISIBLE from the console
of the server.
(The CSRSRV.DLL is a valid file and should not be removed
from your system)


These two files can only be seen when connected to the
server via an admin
share across the network (C$, D$, WINNT$, etc.). These
files are not
detected by any antivirus programs since they contain
valid program code.
NOTE: If the workstation you are using has also been
hacked you will be
unable to see these files on any
remotely connected machines as well as the local machine.


The hacker may also modify at least one registry entry in
the
HKLM\SYSTEM\ControlSet001\CSR*.


The CSRSRV.EXE (Path to Executable: C:\WINNT\system32
\csrsu.exe) and
CSRSU.EXE (Path to Executable: C:\WINNT\system32\csrsrv -k
csrspx) files
are listed in the Services MMC as Clipboard and CSRS
Windows NT services
respectively. These services will fail to start once the
files have
been renamed from a remote computer. NOTE: If the
workstation you are
using has also been hacked you will be unable to see these
files on any
remotely connected machines as well as the local machine.


The removal process:
These files (CSRSRV.EXE and CSRSU.EXE) cannot be deleted
remotely but
they can be renamed. Once they have been renamed the
services can be
removed using the delsrv.exe resource kit tool
(http://www.microsoft.com/windows2000/techinfo/reskit/tools
/existing/delsrv-
o.asp)
and executing the following commands:


C:\TOOLS>delsrv csrspx
C:\TOOLS>delsrv csrswin1


The registry keys should be deleted and the server
rebooted.


We have created and attached a self extracting patch that
will remove the
services
and registry entries from your local machine. This was
packed using WinRAR,
and we
cannot guarantee successful execution on every system.
The patch should be
applied AFTER
you rename the two hidden files in the system32 directory
and have restarted
the machine.
The patch should be run locally from the affected machine.


Rodney

D Small

unread,
Aug 6, 2003, 10:31:16 PM8/6/03
to
Thank you Rodney. I see that I have been gloriously hacked. I have such a mess
here I will really have to go back one image. I am just learning how to harden
my computer and was within one week of being locked down tight.

My next question, then, is once I go back one image (to before these last 7
updates), where does one go to get uncontaminated updates? The bad part of it
was that the installation of the RPC exploit patch KB823980 was one that I had
specifically called for on that very bad download. Just a minute sooner and I
would have been okay. ?? ??
............................................

"Rodney Dyer" <rmd...@uncc.edu> wrote in message

news:000a01c35c34$ec49f330$a401...@phx.gbl...

D Small

unread,
Aug 6, 2003, 11:53:57 PM8/6/03
to
You know, this is really scary. I just went back to look at what was going on
during my windows update that started all my problems.
>>>>>>
System Tools\Event Viewer\System
Information 7/25/2003 12:36:47 pm Windows file Protection Event 64008
The protected system file C:\winnt\system32\msoert2.dll could not be verified as
valid because Windows File Protection is terminating. Use the SFC utility to
verify the integrity of the file at a later time.
16 of these lines for these dlls (could not be verified etc.)
c:\winnt\system32\msoeacct.dll
c:\winnt\system32\inetres.dl
c:\winnt\system32\inetcomm.dll
c:\winnt\system32\msident.dll
c:\program files\outlook express\msoeres.dll
c:\program files\outlook express\msoe.dll
c:\program files\outlook express\oeimport.dll
c:\program files\outlook express\msimn.dll
c:\program files\outlook express\oemig50.exe
c:\program files\outlook express\oemiglib.dll
c:\program files\outlook express\wabimp.dll
c:\program files\outlook express\wabfind.dll
c:\program files\outlook express\wabmig.exe
c:\program files\outlook express\wab.exe
c:\program files\common files\system\directdb.dll
c:\program files\common files\system\wab32.dll
................................
Next events to happen:
4377 12:36:48 Windows 2000 Hotfix KB823980 was installed.
4359 12:37:00 Windows 2000 Hotfix Q329115 was installed.
4359 12:37:05 Windows 2000 Hotfix Q329170 was installed.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

"D Small" <jgil...@nycap.rr.com> wrote in message
news:eylZ2EJX...@tk2msftngp13.phx.gbl...

0 new messages