Re: Some details in a recent NT hack we encountered

[Gossi The Dog <gossi () OWNED LAB6 COM>]

On Mon, 26 Feb 2001, Matt Scarborough wrote:

> On Fri, 2 Mar 2001 14:29:06 +0000 (GMT), Gossi The Dog <gossi () owned lab6 com>
> wrote:
>
> > > On Sun, 25 Feb 2001, Matt Scarborough wrote:
> > > I sent details on this to the Incidents list on February 20, 2001. It
> would
> > > have helped you find what is missing. I captured the entire kit.
> > Could you repost it at all?  I'm fairly interested in this kit for various
> > reasons.
>
> I am unable to find it on Security Focus' website. You may find it here
> http://archives.neohapsis.com/archives/incidents/2001-02/0263.html
> or by sending the appropriately formatted  request to
> listserv () lists securityfocus com
> with something like
> GETPOST INCIDENTS 4289
>
> Please note, in the spirit of the Incidents list,
>
> "a lightly moderated mailing list to facilitate the quick exchange of security
> incident information,"
>
> my original post was aimed at quick identification of the BackGate Kit by file
> name, strings, and installation method so others could determine how best to
> proceed if encountered. This thread contains additional information which is
> very helpful to understanding the kit.
>
> But I wonder if we are moving toward discussion better suited to the
> Forensics or Focus-MS lists?

Yeah, I think it might be worth making it known that the IIS Unicode bug
allows priviledge escalution to SYSTEM without much effort (as demostrated
by BackGate) - as far as I know, not many admins realise this (certainly
in RFP's original bugtraq post he said it wasn't possible).

Also, does anybody have a copy of the kit kicking about?  I've tried
Google and Packetstorm to no avail, I'm sure everybody would be quite
interested to see if anything else lurks in it.

Cheers,
Gossi.