('binary' encoding is not supported, stored as-is) We had an Internet connected W2K computer compromised. I have found the files used to compromise it and wonder if they are part of a standard compromise/exploit. The first file installed during the compromise was an executable called PipeCmdSrv.exe in the folder WINNT/System32. This looks like a service executable which pipes input from a named pipe to cmd.exe (it was installed in the registry at LEGACY_PIPECMDSRV in the CurrentControlSet\Enum\Root key). Then a copy of WinVNC was installed in a new hidden folder called "truetype" in the WINNT/Fonts folder. WinVNC was installed as a Service called "systask" and was also in the Run key. (It had a blank icon, and thus wasn't visible in the System Tray). After VNC was installed, mIRC, iroffer and Serv-U FTP were also installed in quick succession - about 15 minutes. I cannot find any information about PipeCmdSrv.exe (I have a copy of it for inspection) but it seems to have been the first thing which was installed - how was it installed? Unfortunately the computer was not secure (installed by a vendor), had an easily guessable password, and had all the default settings of W2K SP2 (C$ share and remote access to the registry). Has anyone seen PipeCmdSrv before and is it installed as part of a known compromise? Thanks, Tim Philip. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Oct 01 2002 - 13:14:55 PDT