Re: Can anyone identify this possible backdoor?

From: Greg Owen (gowen-incidentsat_private)
Date: Sat Aug 23 2003 - 17:51:05 PDT

Next message: Dowling, Gabrielle: "RE: Sobig.F style email with no attachments"

Previous message: Rob Shein: "RE: Increasing ICMP Echo Requests"
In reply to: Greg Owen: "Can anyone identify this possible backdoor?"
Next in thread: Schmehl, Paul L: "RE: Can anyone identify this possible backdoor?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Greg Owen wrote:
> Investigating a machine which is spewing SoBig.F and may be compromised, 
> I'm seeing the following response on port 2001/tcp:
> 
> % nc 192.168.5.89 2001
> 
> <
> > Unrecognized command or Invalid argument received
> % nc 192.168.5.89 2001
> helo
> <helo> Unrecognized command or Invalid argument received
> %

Sorry, I should have been a bit more explicit.

1) The command line above 'nc 192.168.5.89 2001' is me investigating, 
not anything running on or printed by the victim machine.  Netcat may or 
may not be in use on the victim machine, but that's not really my point; 
I'm wondering what is sending back the error message here (and it isn't 
netcat, I've grepped the source).

2) The first time I connected, I hit 'return', at which point whatever 
is listening printed "<\n> Unrecognized command or Invalid argument 
received" where \n was an actual CRLF.

3) The second time I connected, I typed 'helo' and hit 'return', at 
which point whatever is listening printed "<helo> Unrecognized..."

4) 'helo' is SMTP, but that was just what I used to probe, on the off 
chance this might be a spam relay.  It should not be interpreted as 
meaning anything in identifying the listener.

5) My point is, there's something there that spits back "<CMD> 
Unrecognized command or Invalid argument received" when it gets input it 
doesn't recognize.  Google doesn't show anything for that string, which 
makes it likely (to my mind) that it is some sort of backdoor that isn't 
widely available.  I'm curious if anyone has run across something that 
spits this string out, that's all.

6) Again, I don't have physical access, so a standard forensic 
investigation is unlikely.  Thus my asking.

-- 
         gowen -- Greg Owen -- gowen-incidentsat_private
         GCFA, GCIH, GCWN
         79A7 4063 96B6 9974 86CA  3BEF 521C 860F 5A93 D66D

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------

Next message: Dowling, Gabrielle: "RE: Sobig.F style email with no attachments"
Previous message: Rob Shein: "RE: Increasing ICMP Echo Requests"
In reply to: Greg Owen: "Can anyone identify this possible backdoor?"
Next in thread: Schmehl, Paul L: "RE: Can anyone identify this possible backdoor?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 26 2003 - 08:12:55 PDT