Hi! Ive been checking the files you gave me, and is probally now a known backdoor. I think its a little nifty package some kiddie hacker compiled. The following files are: cc.zip = This is the backdoor, packed with RAR i think. This file will extrace the following files into c:\RECYCLER\ and install the backdoor. hk.exe = NT exploit. This program will let you execute commands with the access as the system. Its a spoofed LPC port request vulnerability. Read more here: http://ciac.llnl.gov/ciac/bulletins/k-019.shtml. CMD.exe = Command Prompt. IISsrvs.exe = This is the Serv-U FTP daemon. It will read its configuration from the localstart.cnf file. It will start the daemon on the port 1664. There are one user added on the daemon and the login is "juliana" but i havent been able to crack the password. The user got fille READ/WRITE/DELETE/EXECUTE access to all the drives from C: D: E: :F G: H: . But somehow after a while of checking this file the Serv-U daemon changed port to 43958 IIS.dll = Dont know (Probally some DLL used for starting the Serv-U via IIS services) The IISsrvs.exe uses this file. The configuration script for the IISsrvs.exe contains the following string: "SignOn = C:\recycler\iisl.dll" IISL.dll = Dont know (Probally some DLL used for starting the Serv-U via IIS services) JAsfv.dll = DLL used for the SFV checker. JAsfv.exe = A SFV checker. JAsfv.ini = Configurations script for the SFVcehcker localstart.cnf = Configuration file for IISsrvs.exe. nc.exe = NetCat, a file piping utility, You can bind programs to ports and alot more. this is the real backdoor i think. I think this will bind cmd.exe to a specifik port some how. But i made a portscan and just found the port 1664 open. networketer.dll = Dont Know PSkill.exe = This program will let the attacker/hacker/cracker to kill processes running on the victim computer. Both local and remote. ServuStartUpLog.txt This is a log file from the IISsrvs.exe. It will get the IP of the machine, and tell the hacker/cracker/attacker that the service is up and running. Tlist.exe = This program will let the attacker/hacker/cracker to list processes running on the victim computer from a command prompt. I hope this information will help you. Best regards David Jacoby Chief Hacker Outpost24 http://www.outpost24.com djat_private On Wed, 10 Jul 2002 16:58:06 -0500 "Matt Andreko" <mandrekoat_private> wrote: >Apparently over the holiday, one of my client's machines was broken >into. It was running Windows 2000 Pro, with IIS installed (webserver >only, no ftp,smtp..) Apparently the attacker got in through this. The >logs show some Unicode in the requests, so I'd bet that's it. >A file was deposited in the c:\winnt\system32\ folder named "cc.exe". I >have studied it a little bit, and it seems quite interesting. It's >actually a winrar self-executable file. Inside contains what I believe >a stripped down copy of serv-u ftp server, messages for that server, and >some other interesting tools. There's a cmd.exe file, which doesn't >match the size of the one in c:\winnt\system32, so it could be >backdoored. >I was basically wondering if anyone had seen anything like it, or could >identify it. I have put a copy up temporarily on my webserver at >http://www.criminalsmostly.com/~mandreko/cc.zip ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jul 11 2002 - 12:19:00 PDT