Backup Exec Agent Browser Exploit

[Jim Bollinger <JBollinger () WLU EDU>]

Last night we were hit by a buffer overrun exploit on the Veritas Backup
Exec Agent Browser service. At least one of the servers, A Windows 2003
Server running BE 9.1, appears to have been compromised by something
which is using Hacker Defender as a stealth aid. The Symantec AV is
killing a file called C:\WINDOWS\SYSTEM32\trkupd.sys, which it says is
Backdoor.HackerDefender.

I have seen what little there is on Symantec's website and done some
obvious Google searches. I can already hear the chorus of "rebuild the
machine" coming.

The reason I am hesitant to do that is that regardless of what
migration strategy I take, there will be the need to be a large effort
to both reconfigure the box and recover the backup catalogs.

Does anyone have experience with Hacker Defender removal?

Thanks, Jim

Jim Bollinger
Systems and Network Engineer
Washington and Lee University
Lexington, VA 24450
540-458-8743

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.