RE: Possible System Compromise

From: Willsey, Rob (CCI-Omaha) (Rob.Willseyat_private)
Date: Tue Jul 09 2002 - 14:37:52 PDT

  • Next message: Henti Smith: "can't seem to find these tools/rootkit anywhere .."

    With the file sizes being different I wouldn't say a zip or rar file.  Those usually have the same file size through the majority of it.  My guess would be speed tests of some sort.
    
    
     -----Original Message-----
    From: 	Mike Hrubes [mailto:MHrubesat_private] 
    Sent:	Tuesday, July 09, 2002 3:29 PM
    To:	David Baker; incidentsat_private
    Subject:	RE: Possible System Compromise
    
    Perhaps a .rar or a zipped file of some sort?  Seems familiar to me as well...I've seen it before.  That's all the clues I have for you....
    
    -----Original Message-----
    From: David Baker [mailto:bakerdat_private]
    Sent: Tuesday, July 09, 2002 1:58 PM
    To: incidentsat_private
    Subject: Possible System Compromise
    
    
    All,
       I have a person that contacted me after some strange files appeared in the
    root directory of his Windows XP box.  This person is remote from me, and I
    don't have a lot to go on right now, but there are about 30 files that appeared
    in the root directory:
    S3no            23KB 
    S3no.1           7KB 
    S3no.2           4KB
    S3no.3          23KB
    S3no.4         472KB
    S3no.5          23KB
    S3no.6           7KB
    S3no.7           4KB
    S3no.8          23KB
    S3no.9         472KB
    S3no.a          23KB
    S3no.b           7KB
    S3no.c           4KB
    S3no.d          23KB
    S3no.e         472KB
    S3no.f          23KB
    S3no.g           7KB
    S3no.h           4KB
    S3no.i          23KB
    S3no.j         472KB
    S3no.k          23KB
    S3no.l           7KB
    S3no.m           4KB
    S3no.n          23KB
    S3no.o         472KB
    S3no.p          23KB
    S3no.q           7KB
    S3no.r           4KB
    S3no.s          23KB
    S3no.t         472KB
    
    This sounds familiar to me, but I cannot seem to find anything in my archives
    about this one.  I also couldn't find anything relevant with a couple of
    searches.  Does anyone have a cluebat they can smack me with?  The pattern of
    file sizes is constant.  All the files have the same date/time
    6/16/2002 at 6:42pm
    Thanks in advance.
    Dave B.
    
    -- 
     ------------------------------------------------------------
     David W. Baker                            bakerdat_private
     Lead INFOSEC Engineer
     G023 - Secure Information Technology      (703) 883-3658
     The MITRE Corporation                     (703) 883-4589 (F)
     Mailstop W435                             
     7515 Colshire Drive                       McLean, VA, 22102
     ------------------------------------------------------------
     "Cyberspace. A consensual hallucination experienced daily by
     billions of legitimate operators, in every nation, by 
     children being taught mathematical concepts... A graphic
     representation of data abstracted from the banks of every
     computer in the human system.  Unthinkable complexity.  Lines 
     of light ranged in the nonspace of the mind, clusters and
     constellations of data.  Like city lights, receding..."
     - William Gibson, "Neuromancer" 
     
     "640K ought to be enough for anybody." - Bill Gates, 1981 
     -------------------------------------------------------------
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Jul 09 2002 - 15:56:31 PDT