RE: Can anyone identify this backdoor?

From: Matt Andreko (mandrekoat_private)
Date: Thu Jul 11 2002 - 08:09:28 PDT

Next message: Dave Mitchell: "Re: Apache Worm / ddos"

Previous message: Curley Mr Eric P: "Code Red and other anomalous activity from 1433"
In reply to: Matt Andreko: "Can anyone identify this backdoor?"
Next in thread: Matt Scarborough: "Re: Can anyone identify this backdoor?"
Next in thread: David Jacoby: "Re: Can anyone identify this backdoor?"
Reply: Matt Scarborough: "Re: Can anyone identify this backdoor?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I have been asked by many to see the logs.  I have also posted them to
the website at http://www.criminalsmostly.com/~mandreko/logs.zip (didn't
want to post a really really long post)

It appears I didn't word my questions as well as I'd hoped.  I knew
pretty much what was inside it, other than the hk.exe.  I was mainly
wondering if this was some automated "rootkit" or if some little script
kiddie was sitting there using exploits they found on securityfocus, and
then running these apps on my client's server. 

I appreciate all the responses I'm getting, I'm finding out more that I
did not know about this little file.  I'm mainly trying to figure out
how it got there, and where it came from.  This little kit is quite
intriguing.  

--
Matt Andreko



-----Original Message-----
From: Matt Andreko [mailto:mandrekoat_private] 
Sent: Wednesday, July 10, 2002 4:58 PM
To: incidentsat_private
Subject: Can anyone identify this backdoor?

Apparently over the holiday, one of my client's machines was broken
into.  It was running Windows 2000 Pro, with IIS installed (webserver
only, no ftp,smtp..)  Apparently the attacker got in through this.  The
logs show some Unicode in the requests, so I'd bet that's it.  

A file was deposited in the c:\winnt\system32\ folder named "cc.exe".  I
have studied it a little bit, and it seems quite interesting.  It's
actually a winrar self-executable file.  Inside contains what I believe
a stripped down copy of serv-u ftp server, messages for that server, and
some other interesting tools.  There's a cmd.exe file, which doesn't
match the size of the one in c:\winnt\system32, so it could be
backdoored.

I was basically wondering if anyone had seen anything like it, or could
identify it.  I have put a copy up temporarily on my webserver at
http://www.criminalsmostly.com/~mandreko/cc.zip 








------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Dave Mitchell: "Re: Apache Worm / ddos"
Previous message: Curley Mr Eric P: "Code Red and other anomalous activity from 1433"
In reply to: Matt Andreko: "Can anyone identify this backdoor?"
Next in thread: Matt Scarborough: "Re: Can anyone identify this backdoor?"
Next in thread: David Jacoby: "Re: Can anyone identify this backdoor?"
Reply: Matt Scarborough: "Re: Can anyone identify this backdoor?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 11 2002 - 13:14:07 PDT