RE: Possible System Compromise

["Willsey, Rob (CCI-Omaha)" <Rob.Willsey () cox com>]

With the file sizes being different I wouldn't say a zip or rar file.  Those usually have the same file size through 
the majority of it.  My guess would be speed tests of some sort.


 -----Original Message-----
From:   Mike Hrubes [mailto:MHrubes () wizmo com] 
Sent:   Tuesday, July 09, 2002 3:29 PM
To:     David Baker; incidents () securityfocus com
Subject:        RE: Possible System Compromise

Perhaps a .rar or a zipped file of some sort?  Seems familiar to me as well...I've seen it before.  That's all the 
clues I have for you....

-----Original Message-----
From: David Baker [mailto:bakerd () mitre org]
Sent: Tuesday, July 09, 2002 1:58 PM
To: incidents () securityfocus com
Subject: Possible System Compromise


All,
   I have a person that contacted me after some strange files appeared in the
root directory of his Windows XP box.  This person is remote from me, and I
don't have a lot to go on right now, but there are about 30 files that appeared
in the root directory:
S3no            23KB 
S3no.1           7KB 
S3no.2           4KB
S3no.3          23KB
S3no.4         472KB
S3no.5          23KB
S3no.6           7KB
S3no.7           4KB
S3no.8          23KB
S3no.9         472KB
S3no.a          23KB
S3no.b           7KB
S3no.c           4KB
S3no.d          23KB
S3no.e         472KB
S3no.f          23KB
S3no.g           7KB
S3no.h           4KB
S3no.i          23KB
S3no.j         472KB
S3no.k          23KB
S3no.l           7KB
S3no.m           4KB
S3no.n          23KB
S3no.o         472KB
S3no.p          23KB
S3no.q           7KB
S3no.r           4KB
S3no.s          23KB
S3no.t         472KB

This sounds familiar to me, but I cannot seem to find anything in my archives
about this one.  I also couldn't find anything relevant with a couple of
searches.  Does anyone have a cluebat they can smack me with?  The pattern of
file sizes is constant.  All the files have the same date/time
6/16/2002 at 6:42pm
Thanks in advance.
Dave B.

-- 
 ------------------------------------------------------------
 David W. Baker                            bakerd () mitre org
 Lead INFOSEC Engineer
 G023 - Secure Information Technology      (703) 883-3658
 The MITRE Corporation                     (703) 883-4589 (F)
 Mailstop W435                             
 7515 Colshire Drive                       McLean, VA, 22102
 ------------------------------------------------------------
 "Cyberspace. A consensual hallucination experienced daily by
 billions of legitimate operators, in every nation, by 
 children being taught mathematical concepts... A graphic
 representation of data abstracted from the banks of every
 computer in the human system.  Unthinkable complexity.  Lines 
 of light ranged in the nonspace of the mind, clusters and
 constellations of data.  Like city lights, receding..."
 - William Gibson, "Neuromancer" 
 
 "640K ought to be enough for anybody." - Bill Gates, 1981 
 -------------------------------------------------------------


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com