Security Incidents mailing list archives
RE: forcdos.exe = serv-u....
From: "Ross Lettau" <r.lettau () uws edu au>
Date: Wed, 10 Dec 2003 10:22:57 +1100
Hi Craig, Another point to make, when you showed the directory listing, did you see that the files you mentioned had roughly the same time/date stamp e.g. 08/12/2003 15:36 3,140 Rhododenron.bmp 08/12/2003 15:37 913 Santa Fe Stucco.bmp I had once case recently where the hackers used a rootkit, the reason I knew this was that the files/directories were created at the same date/time. If you ever have a case like this again, it can sometimes help searching with windows search for files that were created/modified at the same date/time. I have previously picked up a lot more information (log files, chats) using this method.... Just a suggestion. ____________________________________________ Ross Lettau IT Security Administrator Information Technology Directorate University of Western Sydney Email : r.lettau () uws edu au -----Original Message----- From: Craig Broad [mailto:craig () broadband-computers com] Sent: Tuesday, 9 December 2003 8:57 AM To: forensics () securityfocus com; incidents () securityfocus com Subject: forcdos.exe = serv-u.... Hi All, Many thanks for all who responded!! The files have now been accessed and removed. In the end, knowing the path, we set up a ftp server on the box, with the root directory one level up from the com1 directory. only one file was visable which was Santa Fe Stucco.bmp. knowing there was at least one called forcdos.exe, this too was pulled, also another called Rhododenron.bmp (note spelling). the santa..file turned out to be a serv-u log file, which produced the names of 2 dll files, Rhododenron.bmp turned out to be a serv-u .ini file, which gave the warez group responsable, it defaulted to the 2 given ports ( in Rhododenron.bmp/serv-u/.ini), and gave a user list. The files base itself was in the old friend the recycler bin. also a second method to retrieve the files (cheers Axel) i later found out was to simply use CMD! cd straight into the directory under the com1 dir - and if needed attrib -h and copy to another directory. (easy when u know how,hi) file directory output: 08/12/2003 21:51 <DIR> . 08/12/2003 21:51 <DIR> .. 27/10/2003 00:43 91 beldir.dll 27/10/2003 00:43 772 belsnof.vxd 27/10/2003 00:43 1,709 belsnon.vxd 27/10/2003 00:43 24,096 crc.exe 27/10/2003 00:44 35,840 kill.exe 27/10/2003 00:45 675,840 libeay32.dll 27/10/2003 00:45 34,304 pulist.exe 27/10/2003 00:45 316 reg.reg 08/12/2003 15:36 3,140 Rhododenron.bmp 08/12/2003 15:37 913 Santa Fe Stucco.bmp 27/10/2003 00:45 151,552 ssleay32.dll 27/10/2003 00:45 36,864 tzolibr.dll 27/10/2003 00:45 32,768 uptime.exe 27/10/2003 00:45 50,688 vasrtc.dll 27/10/2003 00:45 99 vasrtc.ini 27/10/2003 00:45 57,856 vbsrtc.dll 27/10/2003 00:45 105 vbsrtc.ini 18 File(s) 1,106,953 bytes anyhow....... again many thanks to all who helped. All file are available upon request. ----------- Craig Broad ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- forcdos.exe = serv-u.... Craig Broad (Dec 08)
- RE: forcdos.exe = serv-u.... Ross Lettau (Dec 09)
- RE: forcdos.exe = serv-u.... Mortis (Dec 09)