Win2K Advaned Server compromise report available

[Curt Wilson <netw3 () premis lod com>]

Several weeks ago I left a msg about a compromise of a Win2K Advanced 
Server system. The system was attacked by Chinese (and other) attackers. 
I've written up a document on this incident and include links to some of 
the tools that were found on the server.

The documents can be found at the Netw3 Security Research web site at 
http://www.netw3.com. The most recent HTML document in the reading room is 
what you will want to view, as it has links to the attacker tools that 
were found, or you can view the document directly at 
http://www.netw3.com/documents/win2k_attack_chinese.htm

PipeCmdSrv.exe was found on the system, which is the server side component 
of PipeCmd.exe, which runs with NtCmd.exe on the attacking client. 
PipeCmd.exe comes in the Fluxay attack toolkit (which has also been called 
an auto-rooter), but PipeCmdSrv.exe does not appear to be publicly 
available from what I have seen so far. A translated link from a Chinese 
hacker web site is included in the report that discusses the use of the 
PipeCmd.exe and PipeCmdSrv.exe tools. I was somewhat suprised to find no 
reference to these tools on the usual array of security sites 
(packetstorm, etc.) but I suppose one can't account for everything out 
there.

Antivirus companies and other malware detectors may want to obtain the 
PipeCmd tools from the Netw3.com site and generate product signatures.

Curt Wilson
Netw3 Security Research
netw3 () netw3 com (my normal mailbox at premis.lod.com appears to be down)


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com