Re: Backup Exec Agent Browser Exploit

[Daren Kinser <dkinser () UCSD EDU>]

Jim,

There is a readme file at 

http://www.megasecurity.org/trojans/h/hackerdefender/Hackerdefender1.00.
html

In the FAQ section you will find some questions and answers that may be
of help. If the hacker changed the name of the services you may be out
of luck. I hope this helps.

Daren Kinser GSEC, MCSE
University of California, San Diego
Audit and Management Advisory Services



-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jim Bollinger
Sent: Wednesday, January 12, 2005 6:35 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Backup Exec Agent Browser Exploit

Last night we were hit by a buffer overrun exploit on the Veritas Backup
Exec Agent Browser service. At least one of the servers, A Windows 2003
Server running BE 9.1, appears to have been compromised by something
which is using Hacker Defender as a stealth aid. The Symantec AV is
killing a file called C:\WINDOWS\SYSTEM32\trkupd.sys, which it says is
Backdoor.HackerDefender.

I have seen what little there is on Symantec's website and done some
obvious Google searches. I can already hear the chorus of "rebuild the
machine" coming.

The reason I am hesitant to do that is that regardless of what migration
strategy I take, there will be the need to be a large effort to both
reconfigure the box and recover the backup catalogs.

Does anyone have experience with Hacker Defender removal?

Thanks, Jim

Jim Bollinger
Systems and Network Engineer
Washington and Lee University
Lexington, VA 24450
540-458-8743

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.