Security Incidents mailing list archives
Re: Can anyone identify this backdoor?
From: Jhon Q Doe <boris888 () juno com>
Date: Wed, 10 Jul 2002 22:43:55 -0400
From: "Matt Andreko" <mandreko () ori net> To: <incidents () securityfocus com> Date: Wed, 10 Jul 2002 16:58:06 -0500 Apparently over the holiday, one of my client's machines was broken into. It was running Windows 2000 Pro, with IIS installed (webserver only, no ftp,smtp..) Apparently the attacker got in through this. The logs show some Unicode in the requests, so I'd bet that's it. A file was deposited in the c:\winnt\system32\ folder named "cc.exe". I have studied it a little bit, and it seems quite interesting. It's actually a winrar self-executable file. Inside contains what I believe a stripped down copy of serv-u ftp server, messages for that server, and some other interesting tools. There's a cmd.exe file, which doesn't match the size of the one in c:\winnt\system32, so it could be backdoored. Boris writes: Have you cross checked this backdoor against the popular trojans? (i.e.: Sub7, Net Devil, BO2K, etc...)? If it's a Sub7 or Net-Devil trojan, and the attacker was stupid enough not to password protect it, you may be able to track them down using the stored information. As far as I know, UPX is a popular executable compression utility that comes with most versions of ND and is recommended by the Sub7 documentation. I'm unsure, however, as to the compression algorithm used by it (you said it appeared to be a RAR exec.). cmd.exe sounds like a familiar file with trojans, but I can't seem to place it. I'm unable to access your sample of the backdoor due to access problems (client side, don't worry). Beyond the over-the counter trojans, this one looks like it's just there to leach files off your hard drive. Of course, there are also the unexplained tools. Good luck, you have me baffled. -Boris, the invincible ..:: <=====================> ::.. satoshi_ishigura () hotmail com boris () hentaiseeker com ________________________________________________________________ GET INTERNET ACCESS FROM JUNO! Juno offers FREE or PREMIUM Internet access for less! Join Juno today! For your FREE software, visit: http://dl.www.juno.com/get/web/. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Can anyone identify this backdoor? Matt Andreko (Jul 10)
- Re: Can anyone identify this backdoor? David Jacoby (Jul 11)
- Re: Can anyone identify this backdoor? Ryan Russell (Jul 11)
- RE: Can anyone identify this backdoor? Matt Andreko (Jul 11)
- Re: Can anyone identify this backdoor? Matt Scarborough (Jul 12)
- Re: Can anyone identify this backdoor? shawn merdinger (Jul 11)
- RE: Can anyone identify this backdoor? Erick Arturo Perez Huemer (Jul 11)
- RE: Can anyone identify this backdoor? Richard Bartlett (Jul 11)
- RE: Can anyone identify this backdoor? Ian Webb (Jul 22)
- Re: Can anyone identify this backdoor? Mark Shirley (Jul 12)
- <Possible follow-ups>
- Re: Can anyone identify this backdoor? Jhon Q Doe (Jul 11)
- Re: Can anyone identify this backdoor? David Jacoby (Jul 11)
- Re: Can anyone identify this backdoor? David Jacoby (Jul 11)