Just to let you know (and the list) The cc.zip has a file named hk.exe It has the TROJ.HK.A trojan/virus on it. Erick A. Perez H. > -----Original Message----- > From: Matt Andreko [mailto:mandrekoat_private] > Sent: Miercoles, 10 de Julio de 2002 04:58 p.m. > To: incidentsat_private > Subject: Can anyone identify this backdoor? > > > Apparently over the holiday, one of my client's machines was > broken into. It was running Windows 2000 Pro, with IIS > installed (webserver only, no ftp,smtp..) Apparently the > attacker got in through this. The logs show some Unicode in > the requests, so I'd bet that's it. > > A file was deposited in the c:\winnt\system32\ folder named > "cc.exe". I have studied it a little bit, and it seems quite > interesting. It's actually a winrar self-executable file. > Inside contains what I believe a stripped down copy of serv-u > ftp server, messages for that server, and some other > interesting tools. There's a cmd.exe file, which doesn't > match the size of the one in c:\winnt\system32, so it could > be backdoored. > > I was basically wondering if anyone had seen anything like > it, or could identify it. I have put a copy up temporarily > on my webserver at http://www.criminalsmostly.com/~mandreko/cc.zip > > > > > > > > > -------------------------------------------------------------- > -------------- > This list is provided by the SecurityFocus ARIS analyzer > service. For more information on this free incident handling, > management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jul 11 2002 - 15:57:51 PDT