Security Incidents mailing list archives
Re: Can anyone identify this backdoor?
From: "Mark Shirley" <cyberfrog () core5 net>
Date: Thu, 11 Jul 2002 02:33:59 -0400
follow up on those files, i found out more info from H-D(hackers digest) and s-more investigation on my part. info.com seems to be some sort of win32 application that does some weird stuff. i managed to pull some borland copyright stuff assuming that is just the compilier he used, disk checking functions such as size, type of volume, etc.., and finally some html which looks something like this (broken html for you html mail clients) {TITLE}Execution Script{/TITLE}{/HEAD}{BODY} Server Information SERVER_SOFTWARE SERVER_PROTOCOL SERVER_NAME SERVER_PORT PATH_TRANSLATION etc... and with the info.bat it seems to be outputting this data to a.html its possible that this simple program is trying to imitate the old dos info prog yet creates an html file instead that is used to get information about the web server. there is a batch file called lol.bat that starts the copied ftpserver(c:\recycler\iissrvs) using the LocalStart.cnf file for its defaults(password username port etc..) along with some comand based arguments, deletes the log file that serve-u creates when it starts and then proceeds to run info.bat as mentioned above. as far as the cmd.exe i cannot personally tell if it is backdoored or not but you can only assume it is. hk.exe is a program that exploits a vulnerability in the Win32 API( LPC< local procedure call) that can be used to get system level access net commands(net view, net share, net use, etc) nc.exe is basically win32 netcat which would be your back door into the system .. it basically is a program that enables a user to initiate a telnet server/session on any desired port pskill.exe is simply a program that kills any desired process tlist.exe is just a program that will give you a list of running processes all it looks like to me is you got a trojan that basically creates a valid running ftp server and a telnet server which sits waiting for the person to log in and use the .exe's(nc,pskill, tlist, hk) not amazingly intricate but interesting. could this be a rootkit that i'm not familar with? ... perhaps a new one? hk.exe : program that exploit a vulnerability inthe Win32 API (LPC, Local Procedure Call) thatcan be used to get System Level access----- Original Message ----- From: "Matt Andreko" <mandreko () ori net> To: <incidents () securityfocus com> Sent: Wednesday, July 10, 2002 5:58 PM Subject: Can anyone identify this backdoor?
Apparently over the holiday, one of my client's machines was broken into. It was running Windows 2000 Pro, with IIS installed (webserver only, no ftp,smtp..) Apparently the attacker got in through this. The logs show some Unicode in the requests, so I'd bet that's it. A file was deposited in the c:\winnt\system32\ folder named "cc.exe". I have studied it a little bit, and it seems quite interesting. It's actually a winrar self-executable file. Inside contains what I believe a stripped down copy of serv-u ftp server, messages for that server, and some other interesting tools. There's a cmd.exe file, which doesn't match the size of the one in c:\winnt\system32, so it could be backdoored. I was basically wondering if anyone had seen anything like it, or could identify it. I have put a copy up temporarily on my webserver at http://www.criminalsmostly.com/~mandreko/cc.zip --------------------------------------------------------------------------
--
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Can anyone identify this backdoor? Matt Andreko (Jul 10)
- Re: Can anyone identify this backdoor? David Jacoby (Jul 11)
- Re: Can anyone identify this backdoor? Ryan Russell (Jul 11)
- RE: Can anyone identify this backdoor? Matt Andreko (Jul 11)
- Re: Can anyone identify this backdoor? Matt Scarborough (Jul 12)
- Re: Can anyone identify this backdoor? shawn merdinger (Jul 11)
- RE: Can anyone identify this backdoor? Erick Arturo Perez Huemer (Jul 11)
- RE: Can anyone identify this backdoor? Richard Bartlett (Jul 11)
- RE: Can anyone identify this backdoor? Ian Webb (Jul 22)
- Re: Can anyone identify this backdoor? Mark Shirley (Jul 12)
- <Possible follow-ups>
- Re: Can anyone identify this backdoor? Jhon Q Doe (Jul 11)
- Re: Can anyone identify this backdoor? David Jacoby (Jul 11)
- Re: Can anyone identify this backdoor? David Jacoby (Jul 11)