Re: Can anyone identify this backdoor?

From: David Jacoby (djat_private)
Date: Thu Jul 11 2002 - 03:26:18 PDT

  • Next message: Curley Mr Eric P: "Code Red and other anomalous activity from 1433"

    Hi!
    
    Ive been checking the files you gave me, and is probally now a known backdoor. I think
    its a little nifty package some kiddie hacker compiled.
    
    The following files are:
    
    cc.zip 		= 	This is the backdoor, packed with RAR i think. This file will extrace the
    			following files into c:\RECYCLER\ and install the backdoor.
    
    hk.exe 		= 	NT exploit. This program will let you execute commands with the access as
    	 		the system. Its a spoofed LPC port request vulnerability. Read more here:
    	 		http://ciac.llnl.gov/ciac/bulletins/k-019.shtml. 
    
    CMD.exe 	= 	Command Prompt.
    
    IISsrvs.exe 	= 	This is the Serv-U FTP daemon. It will read its configuration from the
    			localstart.cnf file. It will start the daemon on the port 1664. There are
    			one user added on the daemon and the login is "juliana" but i havent been
    			able to crack the password. The user got fille READ/WRITE/DELETE/EXECUTE
    			access to all the drives from C: D: E: :F G: H: . But somehow after a while
    			of checking this file the Serv-U daemon changed port to 43958
    
    IIS.dll		=	Dont know	(Probally some DLL used for starting the Serv-U via IIS services)
    			The IISsrvs.exe uses this file. The configuration script for the IISsrvs.exe contains
    			the following string: "SignOn = C:\recycler\iisl.dll"
    
    IISL.dll	=	Dont know	(Probally some DLL used for starting the Serv-U via IIS services)
    
    JAsfv.dll	=	DLL used for the SFV checker.
    
    JAsfv.exe	=	A SFV checker.
    
    JAsfv.ini	=	Configurations script for the SFVcehcker
    
    localstart.cnf	=	Configuration file for IISsrvs.exe.
    
    nc.exe		= 	NetCat, a file piping utility, You can bind programs to ports and alot more.
    			this is the real backdoor i think. I think this will bind cmd.exe to a specifik
    			port some how. But i made a portscan and just found the port 1664 open.
    
    networketer.dll	=	Dont Know
    
    PSkill.exe	=	This program will let the attacker/hacker/cracker to kill
    			processes running on the victim computer. Both local and remote.
    
    ServuStartUpLog.txt	This is a log file from the IISsrvs.exe. It will get the IP of
    			the machine, and tell the hacker/cracker/attacker that the service
    			is up and running.
    
    Tlist.exe	=	This program will let the attacker/hacker/cracker to list processes
    			running on the victim computer from a command prompt.
    
    
    
    
    I hope this information will help you.
    
    
    
    Best regards
    
    David Jacoby
    Chief Hacker
    Outpost24
    
    http://www.outpost24.com
    djat_private
    
    
    
    
    
    
    
    
    On Wed, 10 Jul 2002 16:58:06 -0500
    "Matt Andreko" <mandrekoat_private> wrote:
    
    >Apparently over the holiday, one of my client's machines was broken
    >into.  It was running Windows 2000 Pro, with IIS installed (webserver
    >only, no ftp,smtp..)  Apparently the attacker got in through this.  The
    >logs show some Unicode in the requests, so I'd bet that's it.  
    
    >A file was deposited in the c:\winnt\system32\ folder named "cc.exe".  I
    >have studied it a little bit, and it seems quite interesting.  It's
    >actually a winrar self-executable file.  Inside contains what I believe
    >a stripped down copy of serv-u ftp server, messages for that server, and
    >some other interesting tools.  There's a cmd.exe file, which doesn't
    >match the size of the one in c:\winnt\system32, so it could be
    >backdoored.
    
    >I was basically wondering if anyone had seen anything like it, or could
    >identify it.  I have put a copy up temporarily on my webserver at
    >http://www.criminalsmostly.com/~mandreko/cc.zip 
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Jul 11 2002 - 12:19:00 PDT