Educause Security Discussion mailing list archives
Re: Backup Exec Agent Browser Exploit
From: Daren Kinser <dkinser () UCSD EDU>
Date: Wed, 12 Jan 2005 07:32:23 -0800
Jim, There is a readme file at http://www.megasecurity.org/trojans/h/hackerdefender/Hackerdefender1.00. html In the FAQ section you will find some questions and answers that may be of help. If the hacker changed the name of the services you may be out of luck. I hope this helps. Daren Kinser GSEC, MCSE University of California, San Diego Audit and Management Advisory Services -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jim Bollinger Sent: Wednesday, January 12, 2005 6:35 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Backup Exec Agent Browser Exploit Last night we were hit by a buffer overrun exploit on the Veritas Backup Exec Agent Browser service. At least one of the servers, A Windows 2003 Server running BE 9.1, appears to have been compromised by something which is using Hacker Defender as a stealth aid. The Symantec AV is killing a file called C:\WINDOWS\SYSTEM32\trkupd.sys, which it says is Backdoor.HackerDefender. I have seen what little there is on Symantec's website and done some obvious Google searches. I can already hear the chorus of "rebuild the machine" coming. The reason I am hesitant to do that is that regardless of what migration strategy I take, there will be the need to be a large effort to both reconfigure the box and recover the backup catalogs. Does anyone have experience with Hacker Defender removal? Thanks, Jim Jim Bollinger Systems and Network Engineer Washington and Lee University Lexington, VA 24450 540-458-8743 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Backup Exec Agent Browser Exploit Jim Bollinger (Jan 12)
- <Possible follow-ups>
- Re: Backup Exec Agent Browser Exploit Daren Kinser (Jan 12)