Security Incidents mailing list archives
RE: strange ftp site
From: Andre Ludwig <ALudwig () Calfingroup com>
Date: Thu, 30 Oct 2003 13:15:11 -0800
Here are some quick prelim results of running strings against the exe file. Maybe if we can email this eric guy we can ask him ;) strings results for msgtst Please e-mail Eric if you see this Testing CorExitProcess mscoree.dll Microsoft Visual C++ Runtime Library Program: <program name unknown> A buffer overrun has been detected which has corrupted the program's internal state. The program cannot safely continue execution and must now be terminated. Buffer overrun detected! A security error of unknown cause has been detected which has corrupted the program's internal state. The program cannot safely continue execution and must now be terminated. Unknown security failure detected! runtime error TLOSS error SING error DOMAIN error R6029 - This application cannot run using the active version of the Microsoft .NET Runtime Please contact the application's support team for more information. R6028 - unable to initialize heap R6027 - not enough space for lowio initialization R6026 - not enough space for stdio initialization R6025 - pure virtual function call R6024 - not enough space for _onexit/atexit table R6019 - unable to open console device R6018 - unexpected heap error R6017 - unexpected multithread lock error R6016 - not enough space for thread data This application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information. R6009 - not enough space for environment R6008 - not enough space for arguments R6002 - floating point not loaded Runtime Error! Program: GetProcessWindowStation GetUserObjectInformationA GetLastActivePopup GetActiveWindow MessageBoxA user32.dll RSDS c:\Work\Dev\msgtst\msgtst\Release\msgtst.pdb UpdateWindow ShowWindow CreateWindowExA EndDialog PostQuitMessage EndPaint BeginPaint DialogBoxParamA DestroyWindow DefWindowProcA RegisterClassExA LoadCursorA LoadIconA MessageBoxA LoadAcceleratorsA LoadStringA USER32.dll ExitProcess GetProcAddress GetModuleHandleA TerminateProcess GetCurrentProcess GetStartupInfoA GetCommandLineA GetVersionExA QueryPerformanceCounter GetTickCount GetCurrentThreadId GetCurrentProcessId GetSystemTimeAsFileTime GetModuleFileNameA WriteFile GetStdHandle UnhandledExceptionFilter FreeEnvironmentStringsA GetEnvironmentStrings FreeEnvironmentStringsW WideCharToMultiByte GetLastError GetEnvironmentStringsW SetHandleCount GetFileType HeapDestroy HeapCreate VirtualFree HeapFree LoadLibraryA RtlUnwind InterlockedExchange VirtualQuery HeapReAlloc HeapAlloc HeapSize GetACP GetOEMCP GetCPInfo VirtualAlloc LCMapStringA MultiByteToWideChar LCMapStringW GetStringTypeA GetStringTypeW GetLocaleInfoA VirtualProtect GetSystemInfo KERNEL32.dll Andre Ludwig -----Original Message----- From: David E. Mollico Jr [mailto:dmollico () MOLLICO com] Sent: Thursday, October 30, 2003 8:25 AM To: info hunter; incidents () securityfocus com Subject: RE: strange ftp site I would stay very far away from this website. It looks like those dll's have interaction with the kernel file. I'd build a test computer and run it on there to see what It will do. -----Original Message----- From: info hunter [mailto:sp3ct0r () yahoo com] Sent: Thursday, October 30, 2003 9:24 AM To: incidents () securityfocus com Subject: strange ftp site Excuse my ignorance but need some help here. Anyone know anything about this ftp site ftp://66.159.219.196 Noticed a firewall log showing a system hitting this address . Their seems to be an exe and and some dll's. When running the exe a dialog box named test pops up and displays the text "if you can see this, email eric". Sam spade showed a badly configured dns. Would appreciate any input on this. It may be completly benign or maybe even just legit. Just seems strange or I may be just paranoid. ------------------------------------------------------------------------ --- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_incidents_031023 and use priority code SF4. ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_incidents_031023 and use priority code SF4. ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_incidents_031023 and use priority code SF4. ----------------------------------------------------------------------------
Current thread:
- strange ftp site info hunter (Oct 30)
- <Possible follow-ups>
- RE: strange ftp site David E. Mollico Jr (Oct 30)
- Re: strange ftp site info hunter (Oct 31)
- RE: strange ftp site Andre Ludwig (Oct 31)