Security Incidents mailing list archives
Re: Trojan of somesort
From: Paul Schmehl <pauls () utdallas edu>
Date: Tue, 25 May 2004 20:02:45 -0500
--On Monday, May 24, 2004 8:30 AM +0000 Bob the Builder <builder173 () hotmail com> wrote:
Looks like taggers to me. Run an antivirus program against it, looking for all files, heuristics, the whole enchilada. I'll bet you'll find ServU-FTP. Also, look in the Recycled folders on any hard drives on the machine. (Not the recycle bin, the actually directory on the hard drive, which is hidden by default.) Look in %system32%\drivers. Search for all files created in the past x days (based on when you think it was compromised.Hi, I am currently doing an investigation into a compromised system. Before pulling the plug I netcatted to a suspicous open port and received the following banner: 220 SiGN - FR33-FXP3rs - On Da FUcKiNG C@S£!!! I am presuming this to be the welcome banner for a trojan horse of some sort. Has anybody seen this before or does anybody know anything about it or what Trojan this might be?
Search for all *.ini files and open any strange ones or ones that were created recently.
Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu
Current thread:
- Trojan of somesort Bob the Builder (May 25)
- Re: Trojan of somesort Greg Bolshaw (May 25)
- Re: Trojan of somesort Brian Eckman (May 25)
- Re: Trojan of somesort Anonymous (May 27)
- RE: Trojan of somesort Rob Shein (May 25)
- Re: Trojan of somesort Andrew Smith (May 26)
- Re: Trojan of somesort Harlan Carvey (May 26)
- Re: Trojan of somesort Paul Schmehl (May 26)
- <Possible follow-ups>
- Re: Trojan of somesort MATT GIBSON (May 26)
- Re: Trojan of somesort Harlan Carvey (May 26)
- Re: Trojan of somesort caldcv (May 26)