Security Incidents mailing list archives
RE: MSLV.exe
From: Rob Keown <Keown () MACDIRECT COM>
Date: Wed, 21 Nov 2001 21:54:14 -0500
Here are the facts: 1. I belive the host was compromised by CodeRed in September. Admin cleaned the system, but did not remove root.exe from IIS's INETPUB/scripts...this is how the exploit was accomplished. 2. IDS software was installed on the host in late September. 3. On 11/17 the system failed, was rebuilt (perhaps without IIS patches...not sure), but the IDS failed to start. This might be why the system was vunerable but unexploited until this time. 4. Today a file called MSLV.exe was installed from a blackhat and appears to have code similar to SubSeven and Nimda. This is a very preliminary statement. 5. Other reputable users on this forum requested the source and are disassembling it. One initial report that it is a valid exploit led to this post. 6. We took a system snapshot of the system and are looking at logs. We removed the system from the network and cleansed it. Will monitor it closely. 7. This isn't a small- medium- or large- scale problem at this time. Just sharing some info. Will let you know if this is something we should worry about. Rob Keown -----Original Message----- From: Rob Keown [mailto:Keown () MACDIRECT COM] Sent: Wednesday, November 21, 2001 5:58 PM To: incidents () securityfocus com Subject: MSLV.exe I am in heads down mode investigating an infection. The culprit is a file in root of c: of an NT4 SP6 machine supposedly patched IIS. MSLV.exe is in the root and contains Nimda-like exploit strings. Don't have time to go into detail. Can't find reference to mslv.exe anywhere. Anyone know of this? Rob Keown ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- MSLV.exe Rob Keown (Nov 21)
- <Possible follow-ups>
- RE: MSLV.exe Rob Keown (Nov 21)
- More ssh attempts Marco Slaviero (Nov 22)
- Re: More ssh attempts gabriel rosenkoetter (Nov 22)
- Re: More ssh attempts Homer Wilson Smith (Nov 22)
- Re: More ssh attempts Marco Slaviero (Nov 23)
- More ssh attempts Marco Slaviero (Nov 22)