Security Basics mailing list archives
RE: forcdos.exe, msagent directory, DOS or warez??
From: "sean" <sean () security homeunix org>
Date: Mon, 8 Dec 2003 15:46:07 -0800
This is a trick used by warez kiddies as well.. you can access these directories from an ftp client such as FlashFXP etc etc.. http://madchat.org/netadm/unix.seku/dirbreak.htm How to break locked directories http://members.chello.nl/s.pechler/Backdoor_stealth_proxy_server.htm Here is what I have done to get around this problem before: 1. install Serv-u or something of that sort (most likely the program that is causing the problem is serv-u anyways) and set up a user with the home dir pointing to C:\winnt\system32\msagent\local\ and then in the ftp client rename the com1 directory to something else. 2. Once that is done try to open in notepad the Rhododendron.bmp file as it is most likely a .ini file for the server. If the rename in the FTP client doesn't work go to step 3. 3. Using Win32 Gnu Unix tools like mvdir.exe to move the directory to one that you are capable of browsing to in Explorer. They can be found here: http://unxutils.sourceforge.net/ Of course you will have to kill the processes that are tied to this directory or you most likely will get an error. Kill.exe or pskill can be very helpful for this. Some of the "kits" I have seen lately monitor the dirs and replace them and the .exe's immediately after removing them as well as monitoring the child processes and respawning them when you kill them. But with any luck you probably can get rid of it. Gl HTH Sean -----Original Message----- From: Meidinger Chris [mailto:chris.meidinger () badenit de] Sent: Monday, December 08, 2003 6:25 AM To: 'craig () broadband-computers com'; security-basics () securityfocus com Subject: RE: forcdos.exe, msagent directory, DOS or warez?? PS: here is a thread about it: http://hiveminds.info/phpBB/viewtopic.php?t=1803&postdays=0&postorder=asc&st art=0&sid=fe36e424a21547d6c7e8fd13eb1ff704 I understand now about not being able to access the machine. The only thing that occurs to me directly to access the file would be to boot into linux, which would be very difficult considering you have no local access. Chris Meidinger -----Original Message----- From: Craig Broad [mailto:craig () broadband-computers com] Sent: Friday, December 05, 2003 12:53 AM To: security-basics () securityfocus com Subject: forcdos.exe, msagent directory, DOS or warez?? Hi all, on a box recently moved to a managed network rack (GX networks), over the last 2 weeks we have noticed strange behaviour. One of the box's on the subnet has been maxing out the link's bandwidth, on further investigation, massive activity was found on ports 63501, 63502, 1734 and other high range ports. The behaviour was at least 8 hours of fully limiting output, and then up to 8 hours of normal level operation and then a return to full output. at least ever 3 cycles, there would be a upload to the server at a limit of abt 512kbps. using a sniffer (netprobe) the ports were identified, and using fport these were all linked to a executable called forcdos.exe. i have searched all search engines, and have seen not one single link, so i'm assuming it's something else renamed. The files has been placed in C:\winnt\system32\msagent\local\com1\server directory. We are assuming at this time it has come in via some SQL exploit. it look's as a full backdoor access has been achieved. Due to the non-local nature of the box, and the com1 directory name, we have crrently been unable to access the directory to retrieve the exe file. The box has been locked down with the windows inbuilt firewall, locking all tcpip ports not needed. the exe is still running within the computer, but is currently unable to get out of the box. Firstly does anyone have any advice on how to get to this exe file? I dont want to just posix rd it, as i want to see the file first, and secondly does anyone have any idea what this could be? DOS or Warez? many thanks for any advice. if anyone can suggest how to get to the file, we will make it available for analysis. ----------- Craig Broad --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- forcdos.exe, msagent directory, DOS or warez?? Craig Broad (Dec 04)
- RE: forcdos.exe, msagent directory, DOS or warez?? Wayne S. Ackley (Dec 09)
- <Possible follow-ups>
- RE: forcdos.exe, msagent directory, DOS or warez?? Meidinger Chris (Dec 08)
- RE: forcdos.exe, msagent directory, DOS or warez?? Meidinger Chris (Dec 08)
- RE: forcdos.exe, msagent directory, DOS or warez?? sean (Dec 09)
- RE: forcdos.exe, msagent directory, DOS or warez?? Dean Davis (Dec 08)
- RE: forcdos.exe, msagent directory, DOS or warez?? Wayne S. Ackley (Dec 09)
- Re: forcdos.exe, msagent directory, DOS or warez?? Charles Otstot (Dec 09)
- RE: forcdos.exe, msagent directory, DOS or warez?? asuhovey (Dec 12)