Security Incidents mailing list archives

Re: Trojan of somesort

From: Paul Schmehl <pauls () utdallas edu>
Date: Tue, 25 May 2004 20:02:45 -0500

--On Monday, May 24, 2004 8:30 AM +0000 Bob the Builder<builder173 () hotmail com> wrote:

Hi,
I am currently doing an investigation into a compromised system. Before
pulling the plug I netcatted to a suspicous open port and received the
following banner:           220 SiGN - FR33-FXP3rs - On Da FUcKiNG C@S£!!!
I am presuming this to be the welcome banner for a trojan horse of some
sort. Has anybody seen this before or does anybody know anything about it
or what Trojan this might be?

Looks like taggers to me. Run an antivirus program against it, looking forall files, heuristics, the whole enchilada. I'll bet you'll findServU-FTP. Also, look in the Recycled folders on any hard drives on themachine. (Not the recycle bin, the actually directory on the hard drive,which is hidden by default.) Look in %system32%\drivers. Search for allfiles created in the past x days (based on when you think it wascompromised.

Search for all *.ini files and open any strange ones or ones that werecreated recently.


Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu

Current thread:

Trojan of somesort Bob the Builder (May 25)
- Re: Trojan of somesort Greg Bolshaw (May 25)
- Re: Trojan of somesort Brian Eckman (May 25)
  - Re: Trojan of somesort Anonymous (May 27)
- RE: Trojan of somesort Rob Shein (May 25)
- Re: Trojan of somesort Andrew Smith (May 26)
- Re: Trojan of somesort Harlan Carvey (May 26)
- Re: Trojan of somesort Paul Schmehl (May 26)
- <Possible follow-ups>
- Re: Trojan of somesort MATT GIBSON (May 26)
  - Re: Trojan of somesort Harlan Carvey (May 26)
- Re: Trojan of somesort caldcv (May 26)