Re: Can anyone identify this backdoor?

From: Jhon Q Doe (boris888at_private)
Date: Wed Jul 10 2002 - 19:43:55 PDT

Next message: David Jacoby: "Re: Can anyone identify this backdoor?"

Previous message: Michael Anuzis: "Incident Analysis of Compromised OpenBSD3.0 Honeypot"
Maybe in reply to: Matt Andreko: "Can anyone identify this backdoor?"
Next in thread: David Jacoby: "Re: Can anyone identify this backdoor?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: "Matt Andreko" <mandrekoat_private>
To: <incidentsat_private>
Date: Wed, 10 Jul 2002 16:58:06 -0500
Apparently over the holiday, one of my client's machines was broken
into.  It was running Windows 2000 Pro, with IIS installed (webserver
only, no ftp,smtp..)  Apparently the attacker got in through this.  The
logs show some Unicode in the requests, so I'd bet that's it.  

A file was deposited in the c:\winnt\system32\ folder named "cc.exe".  I
have studied it a little bit, and it seems quite interesting.  It's
actually a winrar self-executable file.  Inside contains what I believe
a stripped down copy of serv-u ftp server, messages for that server, and
some other interesting tools.  There's a cmd.exe file, which doesn't
match the size of the one in c:\winnt\system32, so it could be
backdoored.

Boris writes:

Have you cross checked this backdoor against the popular trojans? (i.e.:
Sub7, Net Devil, BO2K, etc...)? If it's a Sub7 or Net-Devil trojan, and
the attacker was stupid enough not to password protect it, you may be
able to track them down using the stored information. As far as I know,
UPX is a popular executable compression utility that comes with most
versions of ND and is recommended by the Sub7 documentation. I'm unsure,
however, as to the compression algorithm used by it (you said it appeared
to be a RAR exec.). cmd.exe sounds like a familiar file with trojans, but
I can't seem to place it. I'm unable to access your sample of the
backdoor due to access problems (client side, don't worry). Beyond the
over-the counter trojans, this one looks like it's just there to leach
files off your hard drive. Of course, there are also the unexplained
tools.
Good luck, you have me baffled.
-Boris, the invincible

..:: <=====================> ::..
satoshi_ishiguraat_private
borisat_private

________________________________________________________________
GET INTERNET ACCESS FROM JUNO!
Juno offers FREE or PREMIUM Internet access for less!
Join Juno today!  For your FREE software, visit:
http://dl.www.juno.com/get/web/.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: David Jacoby: "Re: Can anyone identify this backdoor?"
Previous message: Michael Anuzis: "Incident Analysis of Compromised OpenBSD3.0 Honeypot"
Maybe in reply to: Matt Andreko: "Can anyone identify this backdoor?"
Next in thread: David Jacoby: "Re: Can anyone identify this backdoor?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 11 2002 - 12:14:50 PDT