Matt, I've done a quick analysis on this and come up with the following; (1) cc.exe is a self extracting executable which will write the following files; C:\info.bat (uses info.exe to write to a.htm) C:\info.exe (writes system information including volume sizes, free space etc.) C:\lol.bat (runs iissrvs.exe, tries to delete the startup log and runs info.bat) C:\recycler\CMD.EXE (possibley geniune cmd.exe from a version of NT/2K/XP, source unknown) C:\recycler\hk.exe (detected by Sophos AV 3.59 as 'Troj/Hk', demonstration exploit for 'Spoofed LPC Port Request', see http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/ms00-003.asp for ms article, and http://www.nmrc.org/files/nt/hk-0.1.zip for a download of the exploit and the source code. C:\recycler\iis.dll (file used by iissrvs.exe, Serv-U FTP Server v3.0) C:\recycler\iisl.dll (file used by iissrvs.exe, Serv-U FTP Server v3.0) C:\recycler\iissrvs.exe (renamed Serv-U FTP Server v3.0) C:\recycler\JAsfv.dll (used by Jasfv.exe) C:\recycler\JAsfv.exe ("Just Another SFV Checker", uses CRC-32 technology to check each file and notifies you of any potentially bad, corrupt, incorrect size or missing files). C:\recycler\JAsfv.ini (used by Jasfv.exe) C:\recycler\Localstart.cnf (config file used to start iissrvs.exe) C:\recycler\nc.exe (netcat for nt) C:\recycler\pskill.exe (process kill) C:\recycler\tlist.exe (process list) (2) after extraction it runs lol.bat which runs the ftp server, bound to port 1664 (see LocalStart.cnf). There are two users, Axx and Juliana, defined on the FTP server. (3) there appears to be no attempt to write to the registry to allow the ftp server to restart when the server is rebooted, the only places cc.exe writes to in the registry is HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed, not sure why. I would guess that this compromise was probably for warez kiddies who wanted to dump cracked software/mp3 etc on your server. The a.htm file indicates that volume size and free space is a priority, so that's my reasoning. Hope this helps, get the server patched, delete the files listed above and watch out for new exploits! Richard Bartlett Hacker Immunity Ltd -----Original Message----- From: Matt Andreko [mailto:mandrekoat_private] Sent: 10 July 2002 22:58 To: incidentsat_private Subject: Can anyone identify this backdoor? Apparently over the holiday, one of my client's machines was broken into. It was running Windows 2000 Pro, with IIS installed (webserver only, no ftp,smtp..) Apparently the attacker got in through this. The logs show some Unicode in the requests, so I'd bet that's it. A file was deposited in the c:\winnt\system32\ folder named "cc.exe". I have studied it a little bit, and it seems quite interesting. It's actually a winrar self-executable file. Inside contains what I believe a stripped down copy of serv-u ftp server, messages for that server, and some other interesting tools. There's a cmd.exe file, which doesn't match the size of the one in c:\winnt\system32, so it could be backdoored. I was basically wondering if anyone had seen anything like it, or could identify it. I have put a copy up temporarily on my webserver at http://www.criminalsmostly.com/~mandreko/cc.zip ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jul 11 2002 - 16:16:10 PDT