Security Incidents mailing list archives

RE: forcdos.exe = serv-u....

From: "Ross Lettau" <r.lettau () uws edu au>
Date: Wed, 10 Dec 2003 10:22:57 +1100
Hi Craig,

Another point to make, when you showed the directory listing, did you
see that the files you mentioned had roughly the same time/date stamp

e.g.

08/12/2003  15:36                3,140 Rhododenron.bmp
08/12/2003  15:37                  913 Santa Fe Stucco.bmp

I had once case recently where the hackers used a rootkit, the reason I
knew this was that the files/directories were created at the same
date/time.

If you ever have a case like this again, it can sometimes help searching
with windows search for files that were created/modified at the same
date/time. I have previously picked up a lot more information (log
files, chats) using this method....

Just a suggestion.

____________________________________________

Ross Lettau

IT Security Administrator
Information Technology Directorate
University of Western Sydney

Email : r.lettau () uws edu au 



-----Original Message-----
From: Craig Broad [mailto:craig () broadband-computers com] 
Sent: Tuesday, 9 December 2003 8:57 AM
To: forensics () securityfocus com; incidents () securityfocus com
Subject: forcdos.exe = serv-u....


Hi All,

Many thanks for all who responded!!

The files have now been accessed and removed.

In the end, knowing the path, we set up a ftp server on the box, with
the root directory one level up from the com1 directory.  only one file
was visable which was Santa Fe Stucco.bmp.  knowing there was at least
one called forcdos.exe, this too was pulled, also another called
Rhododenron.bmp (note spelling).  the santa..file turned out to be a
serv-u log file, which produced the names of 2 dll files,
Rhododenron.bmp turned out to be a serv-u .ini file, which gave the
warez group responsable,  it defaulted to the 2 given ports ( in
Rhododenron.bmp/serv-u/.ini), and gave a user list.

The files base itself was in the old friend the recycler bin.

also a second method to retrieve the files (cheers Axel)  i later found
out was to simply use CMD!  cd straight into the directory under the
com1 dir -
and if needed attrib -h and copy to another directory.   (easy when u
know
how,hi)

file directory output:

08/12/2003  21:51       <DIR>          .
08/12/2003  21:51       <DIR>          ..
27/10/2003  00:43                   91 beldir.dll
27/10/2003  00:43                  772 belsnof.vxd
27/10/2003  00:43                1,709 belsnon.vxd
27/10/2003  00:43               24,096 crc.exe
27/10/2003  00:44               35,840 kill.exe
27/10/2003  00:45              675,840 libeay32.dll
27/10/2003  00:45               34,304 pulist.exe
27/10/2003  00:45                  316 reg.reg
08/12/2003  15:36                3,140 Rhododenron.bmp
08/12/2003  15:37                  913 Santa Fe Stucco.bmp
27/10/2003  00:45              151,552 ssleay32.dll
27/10/2003  00:45               36,864 tzolibr.dll
27/10/2003  00:45               32,768 uptime.exe
27/10/2003  00:45               50,688 vasrtc.dll
27/10/2003  00:45                   99 vasrtc.ini
27/10/2003  00:45               57,856 vbsrtc.dll
27/10/2003  00:45                  105 vbsrtc.ini
              18 File(s)      1,106,953 bytes

anyhow.......

again many thanks to all who helped.

All file are available upon request.




-----------
Craig Broad


------------------------------------------------------------------------
---
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
----------------------------------------------------------------------------
Current thread:

forcdos.exe = serv-u.... Craig Broad (Dec 08)
- RE: forcdos.exe = serv-u.... Ross Lettau (Dec 09)
- RE: forcdos.exe = serv-u.... Mortis (Dec 09)