Security Incidents mailing list archives
Re: Can anyone identify this backdoor?
From: shawn merdinger <shawnmer () io com>
Date: Thu, 11 Jul 2002 03:06:51 -0500 (CDT)
Running strings on the file shows some interesting stuff. : 1. Executables: recycler\iissrvs.exe recycler\nc.exe info.exe recycler\CMD.EXE recycler\hk.exe recycler\JAsfv.exe recycler\tlist.exe 2. Files: recycler\Localstart.cnf recycler\iisl.dll recycler\JAsfv.ini recycler\JAsfv.dll 3. Commands?: recycler\iis.dll- [ Espace Libre: %Dfree Mo ] - [ BP: %ServerKBps Kb/sec ] Also, how were you able to conduct analysis on this executable? What tools did you use? Do you have any resource suggestions for learning how to do this type of analysis? Thanks, -scm MA:Matt Andreko MA>Apparently over the holiday, one of my client's machines was broken MA>into. It was running Windows 2000 Pro, with IIS installed (webserver MA>only, no ftp,smtp..) Apparently the attacker got in through this. The MA>logs show some Unicode in the requests, so I'd bet that's it. MA> MA>A file was deposited in the c:\winnt\system32\ folder named "cc.exe". I MA>have studied it a little bit, and it seems quite interesting. It's MA>actually a winrar self-executable file. Inside contains what I believe MA>a stripped down copy of serv-u ftp server, messages for that server, and MA>some other interesting tools. There's a cmd.exe file, which doesn't MA>match the size of the one in c:\winnt\system32, so it could be MA>backdoored. MA> MA>I was basically wondering if anyone had seen anything like it, or could MA>identify it. I have put a copy up temporarily on my webserver at MA>http://www.criminalsmostly.com/~mandreko/cc.zip MA> MA> MA> MA> MA> MA> MA> MA> MA>---------------------------------------------------------------------------- MA>This list is provided by the SecurityFocus ARIS analyzer service. MA>For more information on this free incident handling, management MA>and tracking system please see: http://aris.securityfocus.com MA> ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Can anyone identify this backdoor? Matt Andreko (Jul 10)
- Re: Can anyone identify this backdoor? David Jacoby (Jul 11)
- Re: Can anyone identify this backdoor? Ryan Russell (Jul 11)
- RE: Can anyone identify this backdoor? Matt Andreko (Jul 11)
- Re: Can anyone identify this backdoor? Matt Scarborough (Jul 12)
- Re: Can anyone identify this backdoor? shawn merdinger (Jul 11)
- RE: Can anyone identify this backdoor? Erick Arturo Perez Huemer (Jul 11)
- RE: Can anyone identify this backdoor? Richard Bartlett (Jul 11)
- RE: Can anyone identify this backdoor? Ian Webb (Jul 22)
- Re: Can anyone identify this backdoor? Mark Shirley (Jul 12)
- <Possible follow-ups>
- Re: Can anyone identify this backdoor? Jhon Q Doe (Jul 11)
- Re: Can anyone identify this backdoor? David Jacoby (Jul 11)
- Re: Can anyone identify this backdoor? David Jacoby (Jul 11)