Mass Hack

mummymonkey · 11th August 2003, 02:56 PM

Looks like someone is trying a mass hack tonight via the the RPC service vulnerability. Make sure you're all patched up!

The patch is here

bignickel · 11th August 2003, 04:34 PM

My machine just got attacked.

You'd think I would have d/led that patch already, wouldn't you? But no...

Torment · 11th August 2003, 08:41 PM

I got hit it a week ago. The amount of people getting hit seems to have drastically increased since then. In one forum I go to over 20 people have gotten it, and we have maybe 60 active members.

The stuff you get infected with are easy enough to get rid of though, at least once you know the basics of virus removal and have a good AV.

Wolverine · 11th August 2003, 09:31 PM

More info.

Wolverine · 11th August 2003, 09:35 PM

... and more...

Luke T. · 11th August 2003, 11:30 PM

Do not download this patch. It has totally screwed up my computer.

Luke T. · 11th August 2003, 11:35 PM

I hop ethis gets through. I have two accounts on my computer. The account I used to download and run th epatch is no longer allowing me access to the outside world in any way. And on the other account I am using right now, it has a system shutdown message which only allows me to use the ocmputer for one minute. I am typing fast as I can.

This sytem is shutton down,. Please save ll work in progress and log off. This shutdown was initiated by NT autority/system

Luke T. · 11th August 2003, 11:39 PM

Computer reboots all by itself. I log back on, and I get a one minute warning it is going to reboot again.

And yes, I have restored my computer to a point prior to patch. I tried three restore points, all the way back to two weeks ago.

Windows XP.

Here I go, rebooting itself again. MOTHERF***ER!!!!!

mummymonkey · 12th August 2003, 12:46 AM

Luke T.
See Wolverines info. Looks like you got blasted.

Wolverine · 12th August 2003, 12:54 AM

Quote:

Originally posted by Luke T.
This sytem is shutton down,. Please save ll work in progress and log off. This shutdown was initiated by NT autority/system

This sounds like the worm, not any problem caused by installing the patch.

Go to start/run and type in msconfig then click ok

Click the Startup tab

If you see anything that says msblast.exe (there are possibly other alaises also), chances are you're infected with this critter.

Wolverine · 12th August 2003, 12:59 AM

Symantec has additional info and a removal tool (and additional removal instructions) now posted on this page.

davidhorman · 12th August 2003, 01:56 AM

I read once that it's very difficult to block your RPC port unless you have firewall software, but I found an easy way (if you know enough to do it). If you have Internet Connection Sharing on the computer that's connected to the Internet (you can enable it just to do this if you want), you can use the Advanced settings to forward port 113 to a non-existant address.

David

Jon_in_london · 12th August 2003, 06:56 AM

Quote:

Originally posted by Luke T.
Computer reboots all by itself. I log back on, and I get a one minute warning it is going to reboot again.

And yes, I have restored my computer to a point prior to patch. I tried three restore points, all the way back to two weeks ago.

Windows XP.

Here I go, rebooting itself again. MOTHERF*CKER!!!!!

Luke, Sounds like you have the patch but the msblast is still on your system.

Delete/stop running msblast then install patch.

peptoabysmal · 12th August 2003, 09:08 AM

Quote:

Originally posted by Luke T.
Computer reboots all by itself. I log back on, and I get a one minute warning it is going to reboot again.

And yes, I have restored my computer to a point prior to patch. I tried three restore points, all the way back to two weeks ago.

Windows XP.

Here I go, rebooting itself again. MOTHERFU*KER!!!!!

I had the same thing happen on Win XP. I went into the network control panel and enabled the firewall protection from the Advanced tab, that seemed to stop it. Either I just got lucky, or this hack relies on a remote proc call sent from outside and the firewall blocks it.

Bluegill · 12th August 2003, 12:07 PM

Quote:

Originally posted by Luke T.
I hop ethis gets through. I have two accounts on my computer. The account I used to download and run th epatch is no longer allowing me access to the outside world in any way. And on the other account I am using right now, it has a system shutdown message which only allows me to use the ocmputer for one minute. I am typing fast as I can.

This sytem is shutton down,. Please save ll work in progress and log off. This shutdown was initiated by NT autority/system

My wife was on the computer last night when she suddenly started getting this warning and getting kicked off. I guess now I know why. I guess I know what I'll be messing around with when I get home from work today. Bastards.

bignickel · 12th August 2003, 12:18 PM

Hey Bluegill! I caught Heide Howe last night here in St. Louis coffeehaus. Louisville's own.

She rocks! Well, she folks anyway...

Bluegill · 12th August 2003, 02:20 PM

Quote:

Originally posted by bignickel
Hey Bluegill! I caught Heide Howe last night here in St. Louis coffeehaus. Louisville's own.

She rocks! Well, she folks anyway...

Howdy! Heidi Howe (heh heh) hired my sister-in-law (I ran out of H-words, darn it) to film some of her concerts, but I've never seen her. She gets pretty good press. I suppose I should try to see one of her shows.

So I guess you and I practically know one another [waves]

Luke T. · 12th August 2003, 11:16 PM

Getting rid of the virus has proven more difficult than I thought. I also think it is too strange a coincidence that it didn't kick in until the moment I tried to get the patch from Microsoft to work.

I still can't get the patch to work. But I got the virus remover that Wolverine linked from Symantec to work.

But that didn't work right away. I had files on my computer that were unrelated to the virus which were corrupted and would not delete. This caused the virus remover to halt and quit when it came across them.

I finally had to go into DOS and manually delete them, then I got the virus remover to finally work.

The Microsoft patch still won't run.

If I were to get my hands on the hacker who wrote this virus, I would turn Islamic for a few minutes and break his face, pull off his ears, cut out his tongue, break his knees, and cut off his hands one finger at a time. With a dull, rusty butter knife and no anethesia.

Let him try and write code as a deaf, dumb, fingerless cripple.

mummymonkey · 13th August 2003, 12:22 AM

Luke T.
Rename the catroot2 file in windows\system32 then try again.

Luke T. · 13th August 2003, 08:55 PM

Quote:

Originally posted by mummymonkey
Luke T.
Rename the catroot2 file in windows\system32 then try again.

huh?

De_Bunk · 17th August 2003, 07:13 AM

And before you do anything...

Turn off system restore....(Thats if you got it on in the first place)

DB

max · 20th August 2003, 05:05 AM

Go to Desktop and click on F3 if infected there will be two files one a jvs the other exe, to get rid go to www.bigblackglasses.com they have a script to download to clean up the desktop. Then go to www.microsoft.com and download the patch. Use the one referring to RPC. Run the patch then shutdown and restart the computer

11th August 2003, 02:56 PM	#1
mummymonkey Did you spill my pint? Join Date: Dec 2002 Location: Scotland Posts: 1,915	Mass Hack Looks like someone is trying a mass hack tonight via the the RPC service vulnerability. Make sure you're all patched up! The patch is here
	__________________ Knees bent, arms stretched, Ra! Ra! Ra!

11th August 2003, 04:34 PM	#2
bignickel Mad Mod Poet God Join Date: Aug 2002 Location: St. Louis, MO Posts: 2,724	My machine just got attacked. You'd think I would have d/led that patch already, wouldn't you? But no...
	__________________ "You can find that book everywhere and the risk is that many people who read it believe that those fairy tales are real. I think I have the responsibility to clear things up to unmask the cheap lies contained in books like that." - Cardinal Tarcisio Bertone

11th August 2003, 08:41 PM	#3
Torment Scholar Join Date: Apr 2003 Posts: 77	I got hit it a week ago. The amount of people getting hit seems to have drastically increased since then. In one forum I go to over 20 people have gotten it, and we have maybe 60 active members. The stuff you get infected with are easy enough to get rid of though, at least once you know the basics of virus removal and have a good AV.
Torment Scholar Join Date: Apr 2003 Posts: 77	__________________ Why do the people who know the least know it the loudest?

11th August 2003, 11:30 PM	#6
Luke T. Guest Join Date: May 2003 Posts: 14,759	Do not download this patch. It has totally screwed up my computer.
Luke T. Guest Join Date: May 2003 Posts: 14,759

11th August 2003, 11:35 PM	#7
Luke T. Guest Join Date: May 2003 Posts: 14,759	I hop ethis gets through. I have two accounts on my computer. The account I used to download and run th epatch is no longer allowing me access to the outside world in any way. And on the other account I am using right now, it has a system shutdown message which only allows me to use the ocmputer for one minute. I am typing fast as I can. This sytem is shutton down,. Please save ll work in progress and log off. This shutdown was initiated by NT autority/system
Luke T. Guest Join Date: May 2003 Posts: 14,759

11th August 2003, 09:31 PM	#4
Wolverine Grumpy Stinky Mustelid Join Date: Jun 2002 Location: Austin, TX Posts: 1,690	More info.

11th August 2003, 09:35 PM	#5
Wolverine Grumpy Stinky Mustelid Join Date: Jun 2002 Location: Austin, TX Posts: 1,690	... and more...

11th August 2003, 11:39 PM	#8
Luke T. Guest Join Date: May 2003 Posts: 14,759	Computer reboots all by itself. I log back on, and I get a one minute warning it is going to reboot again. And yes, I have restored my computer to a point prior to patch. I tried three restore points, all the way back to two weeks ago. Windows XP. Here I go, rebooting itself again. MOTHERF***ER!!!!!
Luke T. Guest Join Date: May 2003 Posts: 14,759

12th August 2003, 12:46 AM	#9
mummymonkey Did you spill my pint? Join Date: Dec 2002 Location: Scotland Posts: 1,915	Luke T. See Wolverines info. Looks like you got blasted.
	__________________ Knees bent, arms stretched, Ra! Ra! Ra!

12th August 2003, 12:54 AM	#10
Wolverine Grumpy Stinky Mustelid Join Date: Jun 2002 Location: Austin, TX Posts: 1,690	Quote: Originally posted by Luke T. This sytem is shutton down,. Please save ll work in progress and log off. This shutdown was initiated by NT autority/system This sounds like the worm, not any problem caused by installing the patch. Go to start/run and type in msconfig then click ok Click the Startup tab If you see anything that says msblast.exe (there are possibly other alaises also), chances are you're infected with this critter.

12th August 2003, 12:59 AM	#11
Wolverine Grumpy Stinky Mustelid Join Date: Jun 2002 Location: Austin, TX Posts: 1,690	Symantec has additional info and a removal tool (and additional removal instructions) now posted on this page.

12th August 2003, 01:56 AM	#12
davidhorman Muse Join Date: Oct 2001 Posts: 984	I read once that it's very difficult to block your RPC port unless you have firewall software, but I found an easy way (if you know enough to do it). If you have Internet Connection Sharing on the computer that's connected to the Internet (you can enable it just to do this if you want), you can use the Advanced settings to forward port 113 to a non-existant address. David
davidhorman Muse Join Date: Oct 2001 Posts: 984

12th August 2003, 06:56 AM	#13
Jon_in_london Illuminator Join Date: Aug 2002 Posts: 4,994	Quote: Originally posted by Luke T. Computer reboots all by itself. I log back on, and I get a one minute warning it is going to reboot again. And yes, I have restored my computer to a point prior to patch. I tried three restore points, all the way back to two weeks ago. Windows XP. Here I go, rebooting itself again. MOTHERFCKER!!!!! Luke, Sounds like you have the patch but the msblast is still on your system. Delete/stop running msblast then* install patch.
	__________________ Radicals and Racists Don't point your finger at me I'm a small town white boy Just tryin' to make ends meet Don't need your religion Don't watch that much T.V. Just makin' my livin', baby Well that's enough for me

12th August 2003, 09:08 AM	#14
peptoabysmal Illuminator Join Date: Sep 2002 Posts: 3,467	Quote: Originally posted by Luke T. Computer reboots all by itself. I log back on, and I get a one minute warning it is going to reboot again. And yes, I have restored my computer to a point prior to patch. I tried three restore points, all the way back to two weeks ago. Windows XP. Here I go, rebooting itself again. MOTHERFU*KER!!!!! I had the same thing happen on Win XP. I went into the network control panel and enabled the firewall protection from the Advanced tab, that seemed to stop it. Either I just got lucky, or this hack relies on a remote proc call sent from outside and the firewall blocks it.
	__________________ OBAMA: It's not that I want to punish your success; I just want to make sure that everybody who is behind you that they've got a chance to success, too. I think when you spread the wealth around, it's good for everybody.

12th August 2003, 12:07 PM	#15
Bluegill Graduate Poster Join Date: Oct 2002 Location: Louisville Posts: 1,188	Quote: Originally posted by Luke T. I hop ethis gets through. I have two accounts on my computer. The account I used to download and run th epatch is no longer allowing me access to the outside world in any way. And on the other account I am using right now, it has a system shutdown message which only allows me to use the ocmputer for one minute. I am typing fast as I can. This sytem is shutton down,. Please save ll work in progress and log off. This shutdown was initiated by NT autority/system My wife was on the computer last night when she suddenly started getting this warning and getting kicked off. I guess now I know why. I guess I know what I'll be messing around with when I get home from work today. Bastards.

12th August 2003, 12:18 PM	#16
bignickel Mad Mod Poet God Join Date: Aug 2002 Location: St. Louis, MO Posts: 2,724	Hey Bluegill! I caught Heide Howe last night here in St. Louis coffeehaus. Louisville's own. She rocks! Well, she folks anyway...
	__________________ "You can find that book everywhere and the risk is that many people who read it believe that those fairy tales are real. I think I have the responsibility to clear things up to unmask the cheap lies contained in books like that." - Cardinal Tarcisio Bertone

12th August 2003, 02:20 PM	#17
Bluegill Graduate Poster Join Date: Oct 2002 Location: Louisville Posts: 1,188	Quote: Originally posted by bignickel Hey Bluegill! I caught Heide Howe last night here in St. Louis coffeehaus. Louisville's own. She rocks! Well, she folks anyway... Howdy! Heidi Howe (heh heh) hired my sister-in-law (I ran out of H-words, darn it) to film some of her concerts, but I've never seen her. She gets pretty good press. I suppose I should try to see one of her shows. So I guess you and I practically know one another [waves]

12th August 2003, 11:16 PM	#18
Luke T. Guest Join Date: May 2003 Posts: 14,759	Getting rid of the virus has proven more difficult than I thought. I also think it is too strange a coincidence that it didn't kick in until the moment I tried to get the patch from Microsoft to work. I still can't get the patch to work. But I got the virus remover that Wolverine linked from Symantec to work. But that didn't work right away. I had files on my computer that were unrelated to the virus which were corrupted and would not delete. This caused the virus remover to halt and quit when it came across them. I finally had to go into DOS and manually delete them, then I got the virus remover to finally work. The Microsoft patch still won't run. If I were to get my hands on the hacker who wrote this virus, I would turn Islamic for a few minutes and break his face, pull off his ears, cut out his tongue, break his knees, and cut off his hands one finger at a time. With a dull, rusty butter knife and no anethesia. Let him try and write code as a deaf, dumb, fingerless cripple.
Luke T. Guest Join Date: May 2003 Posts: 14,759

13th August 2003, 12:22 AM	#19
mummymonkey Did you spill my pint? Join Date: Dec 2002 Location: Scotland Posts: 1,915	Luke T. Rename the catroot2 file in windows\system32 then try again.
	__________________ Knees bent, arms stretched, Ra! Ra! Ra!

13th August 2003, 08:55 PM	#20
Luke T. Guest Join Date: May 2003 Posts: 14,759	Quote: Originally posted by mummymonkey Luke T. Rename the catroot2 file in windows\system32 then try again. huh?
Luke T. Guest Join Date: May 2003 Posts: 14,759

17th August 2003, 07:13 AM	#21
De_Bunk Scourge of the Believer Join Date: Feb 2002 Posts: 5,508	And before you do anything... Turn off system restore....(Thats if you got it on in the first place) DB
	__________________ I've made nearly 20,000 posts on the JREF... Trouble is..over 14,000 have been deleted... And you think you're 'Hardcore'.. (DB)

20th August 2003, 05:05 AM	#22
max That old codger Join Date: Feb 2002 Location: uk Posts: 988	Go to Desktop and click on F3 if infected there will be two files one a jvs the other exe, to get rid go to www.bigblackglasses.com they have a script to download to clean up the desktop. Then go to www.microsoft.com and download the patch. Use the one referring to RPC. Run the patch then shutdown and restart the computer