RE: forcdos.exe, msagent directory, DOS or warez??

[<asuhovey () mtu-net ru>]

Charles, thanks for link to this MS article. 
All this thread is very informative. 

> Note, I do not have any directories/files
> with reserved names, so I didn't get to test
> against them, but things should work just the same.
It is easy to check, as it works for mkdir too:

C:\>mkdir \\.\c:\blah\com1

C:\>echo Hey > \\.\c:\blah\com1\hey

C:\>dir /b c:\blah\
com1

C:\>dir /b c:\blah\com1
File Not Found

C:\>dir /b \\.\c:\blah\com1
hey

C:\>copy \\.\c:\blah\com1\hey c:\blah
        1 file(s) copied.

C:\>dir /b c:\blah
com1
hey

C:\>rmdir /s /q \\.\c:\blah\com1

C:\>dir /b c:\blah
hey

C:\>


Al.

-----Original Message-----
From: Charles Otstot [mailto:charles.otstot () ncmail net] 
Sent: Tuesday, December 09, 2003 4:04 PM
To: security-basics () securityfocus com
Cc: 'craig () broadband-computers com'
Subject: Re: forcdos.exe, msagent directory, DOS or warez??

Something easier that *should* work:
http://support.microsoft.com/?id=120716

This article details removing files/directories with reserved names 
(such as the com1 directory).

The follwing syntax will let you run commands against the suspect folder:
RD \\.\<driveletter>:\<path>\<directory name>

I did a quick check to see whether other commands (eg. dir, copy, etc) 
would work using this syntax and all worked just fine.
Note, I do not have any directories/files with reserved names, so I 
didn't get to test against them, but things should work just the same.

Copy the file out of the reserved directory and you can check it out 
from there.
As to what you're seeing, my first guess is a renamed copy of Serv-U ftp 
server.. Based on your overall description of the problem, it looks like 
you've probably got an IRC DCC server installed and your machine is 
being used to download warez or pirated music/movies.
Check the "Recycler" folder to see if any of the recycle bins are taking 
up a lot (Gig's) of space. Also check for the existence of a dummy 
recycle bin. It would appear as a normal folder icon  with a fake SID 
for the3 folder name, rather than a recycle bin icon with a SID. Most of 
the hacks I've seen for this use the recycle bin structure for storing 
the downloadable files.
You will also likely find that you have services starting that have 
reasonable sounding names, but are not real Windows services. Check for 
service file names that are *close* but not exactly proper file names 
(e.g scvhost.exe instead of svchost.exe).

As to *how* they got in, the things I've seen most are through blank sa 
passwords or weak administrator-level user passwords (since the 
Administrators group is atumoatically added to SQL admins). From there, 
xp_cmdshell is invoked to get a command prompt and it's off to the races.

hth,
Charlie


Dean Davis wrote:

> Consider installing an emergency copy of Windoze, in a different directory
> of course, and troubleshoot from there. I've seen similar, reserved-name,
> exploits and was able to mitigate the exploit by removing traces from a
> second copy of Windoze.
>
>
>
> Thanks,
> Dean Davis, MCSE,MCDBA,CCNA,CNA,N+,Linux+
> Sr. Network Engineer
> MBG, Inc.
> 370 Lexington Avenue
> New York, NY 10017
> P. 212.822.4429
> F. 212.822.4499
> http://www.mbg-inc.com
>
>
>
> -----Original Message-----
> From: Meidinger Chris [mailto:chris.meidinger () badenit de] 
> Sent: Monday, December 08, 2003 8:45 AM
> To: 'craig () broadband-computers com'; security-basics () securityfocus com
> Subject: RE: forcdos.exe, msagent directory, DOS or warez??
>
>
> Hi Craig,
>
> i'm not 100% sure why you can't get a copy of the file. Is it not your
> machine, or what is the exact problem? Can you start a process on the
> machine? Can you ftp the file to yourself? Or send it over a netcat tunnel?
> Explain the problem, and i'm sure some clever person will have an idea for
> you.
>
> As far as finding out what the file is, there are many possibilities. First
> thing i usually would do is to run strings on it, and then google for those
> strings. The other first thing to do is to take an md5 sum of the file, and
> search for it on packetstorm (www.packetstormsecurity.nl). They have an
> exploit/malware archive which you can also search by md5. Be sure to read
up
> a bit on incident handling before you touch the box too much, assuming you
> want to document everything and keep it 'official.' Even if you are just
> checking it out for fun, it would still be a great exercise to practice IH.
> You would also probably find kevin mandia's book 'Incident Response' (i
> believe it's from McGraw Hill Press) very interesting. He explains very
well
> how to preserve volatile data, and properly do a live response on a live
> system.
>
> If you have any more questions, don't hesitate to ask,
>
> Chris Meidinger
>
>
> -----Original Message-----
> From: Craig Broad [mailto:craig () broadband-computers com]
> Sent: Friday, December 05, 2003 12:53 AM
> To: security-basics () securityfocus com
> Subject: forcdos.exe, msagent directory, DOS or warez??
>
>
> Hi all,
>
> on a box recently moved to a managed network rack (GX networks), over the
> last 2 weeks we have noticed strange behaviour.  One of the box's on the
> subnet has been maxing out the link's bandwidth, on further investigation,
> massive activity was found on ports 63501, 63502, 1734 and other high range
> ports.  The behaviour was at least 8 hours of fully limiting output, and
> then up to 8 hours of normal level operation and then a return to full
> output.  at least ever 3 cycles, there would be a upload to the server at a
> limit of abt 512kbps.
>
> using a sniffer (netprobe) the ports were identified, and using fport these
> were all linked to a executable called forcdos.exe.  i have searched all
> search engines, and have seen not one single link, so i'm assuming it's
> something else renamed.  The files has been placed in
> C:\winnt\system32\msagent\local\com1\server directory.  We are assuming at
> this time it has come in via some SQL exploit.  it look's as a full
backdoor
> access has been achieved.  Due to the non-local nature of the box, and the
> com1 directory name, we have crrently been unable to access the directory
to
> retrieve the exe file.
>
> The box has been locked down with the windows inbuilt firewall, locking all
> tcpip ports not needed.  the exe is still running within the computer, but
> is currently unable to get out of the box.
>
> Firstly does anyone have any advice on how to get to this exe file?  I dont
> want to just posix rd it, as i want to see the file first, and secondly
does
> anyone have any idea what this could be?  DOS or Warez?
>
> many thanks for any advice.  if anyone can suggest how to get to the file,
> we will make it available for analysis.
>
> -----------
> Craig Broad
>
>
> ---------------------------------------------------------------------------
> ---------------------------------------------------------------------------
-
> ---------------------------------------------------------------------------
> ---------------------------------------------------------------------------
-
> ---------------------------------------------------------------------------
> ---------------------------------------------------------------------------
-
>  



---------------------------------------------------------------------------
----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------