Possible System Compromise

From: David Baker (bakerdat_private)
Date: Tue Jul 09 2002 - 11:57:54 PDT

Next message: Pavel Kankovsky: "TCP port 139 probes"

Previous message: Crist J. Clark: "Re: Invalid TCP header flags"
Next in thread: Mike Hrubes: "RE: Possible System Compromise"
Reply: Mike Hrubes: "RE: Possible System Compromise"
Reply: Willsey, Rob (CCI-Omaha): "RE: Possible System Compromise"
Reply: H C: "Re: Possible System Compromise"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

All,
   I have a person that contacted me after some strange files appeared in the
root directory of his Windows XP box.  This person is remote from me, and I
don't have a lot to go on right now, but there are about 30 files that appeared
in the root directory:
S3no            23KB 
S3no.1           7KB 
S3no.2           4KB
S3no.3          23KB
S3no.4         472KB
S3no.5          23KB
S3no.6           7KB
S3no.7           4KB
S3no.8          23KB
S3no.9         472KB
S3no.a          23KB
S3no.b           7KB
S3no.c           4KB
S3no.d          23KB
S3no.e         472KB
S3no.f          23KB
S3no.g           7KB
S3no.h           4KB
S3no.i          23KB
S3no.j         472KB
S3no.k          23KB
S3no.l           7KB
S3no.m           4KB
S3no.n          23KB
S3no.o         472KB
S3no.p          23KB
S3no.q           7KB
S3no.r           4KB
S3no.s          23KB
S3no.t         472KB

This sounds familiar to me, but I cannot seem to find anything in my archives
about this one.  I also couldn't find anything relevant with a couple of
searches.  Does anyone have a cluebat they can smack me with?  The pattern of
file sizes is constant.  All the files have the same date/time
6/16/2002 at 6:42pm
Thanks in advance.
Dave B.

-- 
 ------------------------------------------------------------
 David W. Baker                            bakerdat_private
 Lead INFOSEC Engineer
 G023 - Secure Information Technology      (703) 883-3658
 The MITRE Corporation                     (703) 883-4589 (F)
 Mailstop W435                             
 7515 Colshire Drive                       McLean, VA, 22102
 ------------------------------------------------------------
 "Cyberspace. A consensual hallucination experienced daily by
 billions of legitimate operators, in every nation, by 
 children being taught mathematical concepts... A graphic
 representation of data abstracted from the banks of every
 computer in the human system.  Unthinkable complexity.  Lines 
 of light ranged in the nonspace of the mind, clusters and
 constellations of data.  Like city lights, receding..."
 - William Gibson, "Neuromancer" 
 
 "640K ought to be enough for anybody." - Bill Gates, 1981 
 -------------------------------------------------------------


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Pavel Kankovsky: "TCP port 139 probes"
Previous message: Crist J. Clark: "Re: Invalid TCP header flags"
Next in thread: Mike Hrubes: "RE: Possible System Compromise"
Reply: Mike Hrubes: "RE: Possible System Compromise"
Reply: Willsey, Rob (CCI-Omaha): "RE: Possible System Compromise"
Reply: H C: "Re: Possible System Compromise"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 09 2002 - 13:21:10 PDT