Security Incidents mailing list archives
Win2K Advaned Server compromise report available
From: Curt Wilson <netw3 () premis lod com>
Date: 17 Sep 2002 15:24:23 -0000
Several weeks ago I left a msg about a compromise of a Win2K Advanced Server system. The system was attacked by Chinese (and other) attackers. I've written up a document on this incident and include links to some of the tools that were found on the server. The documents can be found at the Netw3 Security Research web site at http://www.netw3.com. The most recent HTML document in the reading room is what you will want to view, as it has links to the attacker tools that were found, or you can view the document directly at http://www.netw3.com/documents/win2k_attack_chinese.htm PipeCmdSrv.exe was found on the system, which is the server side component of PipeCmd.exe, which runs with NtCmd.exe on the attacking client. PipeCmd.exe comes in the Fluxay attack toolkit (which has also been called an auto-rooter), but PipeCmdSrv.exe does not appear to be publicly available from what I have seen so far. A translated link from a Chinese hacker web site is included in the report that discusses the use of the PipeCmd.exe and PipeCmdSrv.exe tools. I was somewhat suprised to find no reference to these tools on the usual array of security sites (packetstorm, etc.) but I suppose one can't account for everything out there. Antivirus companies and other malware detectors may want to obtain the PipeCmd tools from the Netw3.com site and generate product signatures. Curt Wilson Netw3 Security Research netw3 () netw3 com (my normal mailbox at premis.lod.com appears to be down) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Win2K Advaned Server compromise report available Curt Wilson (Sep 17)