RE: strange ftp site

[Andre Ludwig <ALudwig () Calfingroup com>]

Here are some quick prelim results of running strings against the exe file.


Maybe if we can email this eric guy we can ask him ;)

strings results for msgtst
Please e-mail Eric if you see this
Testing
CorExitProcess
mscoree.dll
Microsoft Visual C++ Runtime Library
Program: 
<program name unknown>
A buffer overrun has been detected which has corrupted the program's
internal state.  The program cannot safely continue execution and must
now be terminated.
Buffer overrun detected!
A security error of unknown cause has been detected which has
corrupted the program's internal state.  The program cannot safely
continue execution and must now be terminated.
Unknown security failure detected!
runtime error 
TLOSS error
SING error
DOMAIN error
R6029
- This application cannot run using the active version of the Microsoft .NET
Runtime
Please contact the application's support team for more information.
R6028
- unable to initialize heap
R6027
- not enough space for lowio initialization
R6026
- not enough space for stdio initialization
R6025
- pure virtual function call
R6024
- not enough space for _onexit/atexit table
R6019
- unable to open console device
R6018
- unexpected heap error
R6017
- unexpected multithread lock error
R6016
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual
way.
Please contact the application's support team for more information.
R6009
- not enough space for environment
R6008
- not enough space for arguments
R6002
- floating point not loaded
Runtime Error!
Program: 
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
RSDS
c:\Work\Dev\msgtst\msgtst\Release\msgtst.pdb
UpdateWindow
ShowWindow
CreateWindowExA
EndDialog
PostQuitMessage
EndPaint
BeginPaint
DialogBoxParamA
DestroyWindow
DefWindowProcA
RegisterClassExA
LoadCursorA
LoadIconA
MessageBoxA
LoadAcceleratorsA
LoadStringA
USER32.dll
ExitProcess
GetProcAddress
GetModuleHandleA
TerminateProcess
GetCurrentProcess
GetStartupInfoA
GetCommandLineA
GetVersionExA
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
GetModuleFileNameA
WriteFile
GetStdHandle
UnhandledExceptionFilter
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
GetLastError
GetEnvironmentStringsW
SetHandleCount
GetFileType
HeapDestroy
HeapCreate
VirtualFree
HeapFree
LoadLibraryA
RtlUnwind
InterlockedExchange
VirtualQuery
HeapReAlloc
HeapAlloc
HeapSize
GetACP
GetOEMCP
GetCPInfo
VirtualAlloc
LCMapStringA
MultiByteToWideChar
LCMapStringW
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
VirtualProtect
GetSystemInfo
KERNEL32.dll

Andre Ludwig

-----Original Message-----
From: David E. Mollico Jr [mailto:dmollico () MOLLICO com]
Sent: Thursday, October 30, 2003 8:25 AM
To: info hunter; incidents () securityfocus com
Subject: RE: strange ftp site


I would stay very far away from this website. It looks like those dll's
have interaction with the kernel file. I'd build a test computer and run
it on there to see what It will do.

-----Original Message-----
From: info hunter [mailto:sp3ct0r () yahoo com] 
Sent: Thursday, October 30, 2003 9:24 AM
To: incidents () securityfocus com
Subject: strange ftp site



Excuse my ignorance but need some help here.

Anyone know anything about this ftp site ftp://66.159.219.196

Noticed a firewall log showing a system hitting this address . Their
seems to be an exe and and some dll's.  When running the exe a dialog
box named test pops up and displays the text "if you can see this, email
eric".

Sam spade showed a badly configured dns. Would appreciate any input on
this.  It may be completly benign or maybe even just legit. Just seems
strange or I may be just paranoid.

------------------------------------------------------------------------
---
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------