('binary' encoding is not supported, stored as-is) Several weeks ago I left a msg about a compromise of a Win2K Advanced Server system. The system was attacked by Chinese (and other) attackers. I've written up a document on this incident and include links to some of the tools that were found on the server. The documents can be found at the Netw3 Security Research web site at http://www.netw3.com. The most recent HTML document in the reading room is what you will want to view, as it has links to the attacker tools that were found, or you can view the document directly at http://www.netw3.com/documents/win2k_attack_chinese.htm PipeCmdSrv.exe was found on the system, which is the server side component of PipeCmd.exe, which runs with NtCmd.exe on the attacking client. PipeCmd.exe comes in the Fluxay attack toolkit (which has also been called an auto-rooter), but PipeCmdSrv.exe does not appear to be publicly available from what I have seen so far. A translated link from a Chinese hacker web site is included in the report that discusses the use of the PipeCmd.exe and PipeCmdSrv.exe tools. I was somewhat suprised to find no reference to these tools on the usual array of security sites (packetstorm, etc.) but I suppose one can't account for everything out there. Antivirus companies and other malware detectors may want to obtain the PipeCmd tools from the Netw3.com site and generate product signatures. Curt Wilson Netw3 Security Research netw3at_private (my normal mailbox at premis.lod.com appears to be down) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 17 2002 - 17:43:33 PDT