Re: Can anyone identify this backdoor?

["Mark Shirley" <cyberfrog () core5 net>]

follow up on those files, i found out more info from H-D(hackers digest) and
s-more investigation on my part.

info.com seems to be some sort of win32 application that does some weird
stuff.  i managed to pull some borland copyright stuff assuming that is just
the compilier he used, disk checking functions such as size, type of volume,
etc.., and finally some html which looks something like this

(broken html for you html mail clients)

{TITLE}Execution Script{/TITLE}{/HEAD}{BODY}
Server Information
SERVER_SOFTWARE
SERVER_PROTOCOL
SERVER_NAME
SERVER_PORT
PATH_TRANSLATION
 etc...
and with the info.bat it seems to be outputting this data to a.html

its possible that this simple program is trying to imitate the old dos info
prog yet creates an html file instead that is used to get information about
the web server.

there is a batch file called lol.bat that starts the copied
ftpserver(c:\recycler\iissrvs) using the LocalStart.cnf file for its
defaults(password username port etc..) along with some comand based
arguments, deletes the log file that serve-u creates when it starts and then
proceeds to run info.bat as mentioned above.

as far as the cmd.exe i cannot personally tell if it is backdoored or not
but you can only assume it is.

hk.exe is a program that exploits a vulnerability in the Win32 API( LPC<
local procedure call) that can be used to get system level access net
commands(net view, net share, net use, etc)

nc.exe is basically win32 netcat which would be your back door into the
system .. it basically is a program that enables a user to initiate a telnet
server/session on any desired port

pskill.exe is simply a program that kills any desired process

tlist.exe is just a program that will give you a list of running processes

all it looks like to me is you got a trojan that basically creates a valid
running ftp server and a telnet server which sits waiting for the person to
log in and use the .exe's(nc,pskill, tlist, hk)

not amazingly intricate but interesting.  could this be a rootkit that i'm
not familar with? ... perhaps a new one?


 hk.exe : program that exploit a vulnerability inthe Win32 API (LPC, Local
Procedure Call) thatcan be used to get System Level access----- Original
Message -----
From: "Matt Andreko" <mandreko () ori net>
To: <incidents () securityfocus com>
Sent: Wednesday, July 10, 2002 5:58 PM
Subject: Can anyone identify this backdoor?


> Apparently over the holiday, one of my client's machines was broken
> into.  It was running Windows 2000 Pro, with IIS installed (webserver
> only, no ftp,smtp..)  Apparently the attacker got in through this.  The
> logs show some Unicode in the requests, so I'd bet that's it.
>
> A file was deposited in the c:\winnt\system32\ folder named "cc.exe".  I
> have studied it a little bit, and it seems quite interesting.  It's
> actually a winrar self-executable file.  Inside contains what I believe
> a stripped down copy of serv-u ftp server, messages for that server, and
> some other interesting tools.  There's a cmd.exe file, which doesn't
> match the size of the one in c:\winnt\system32, so it could be
> backdoored.
>
> I was basically wondering if anyone had seen anything like it, or could
> identify it.  I have put a copy up temporarily on my webserver at
> http://www.criminalsmostly.com/~mandreko/cc.zip
>
>
>
>
>
>
>
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com