 |
 |
Just to add to what Tim is saying: It is quite common to run into applications that are loaded as hidden that will not be picked up by antivirus software because they're actually legitimate applications that can be used to backdoor systems. It is also trivial to bypass most antivirus software by altering the applications to mask particular signatures. There are likely many systems out there that were exploited, plugged the RPC hole by shutting it off or installing the patch, and then loading backdoors for future use. The exploit was in known circulation for about a week before MSU started filtering RPC traffic from the Internet, and filtering from within campus didn't happen until a couple weeks later. Plenty of time for many many systems to be backdoored in various ways, not necessarily by viruses and worms. There's plenty to be looking for including open ports that shouldn't be, and user accounts with elevated privileges (even on single-user systems) to name a few. -Russell Skutt, Tim wrote: > I've ran that particular scan tool on some hosts over here in the College of > business. I found in some cases that DCOM was disabled in the registry. > (HKLM\software\microsoft\ole) > EnableDCOM should be Y > > On some that came back I found trojans on the PC's as a result of the RPC > vulnerability. Often they run processes that disable the ability for a > system admin to connect to them remotely. > > I submitted some of the trojans found to Symantec. > > Tim