Apparently over the holiday, one of my client's machines was broken
into. It was running Windows 2000 Pro, with IIS installed (webserver
only, no ftp,smtp..) Apparently the attacker got in through this. The
logs show some Unicode in the requests, so I'd bet that's it.

A file was deposited in the c:\winnt\system32\ folder named "cc.exe". I
have studied it a little bit, and it seems quite interesting. It's
actually a winrar self-executable file. Inside contains what I believe
a stripped down copy of serv-u ftp server, messages for that server, and
some other interesting tools. There's a cmd.exe file, which doesn't
match the size of the one in c:\winnt\system32, so it could be
backdoored.

I was basically wondering if anyone had seen anything like it, or could
identify it. I have put a copy up temporarily on my webserver at
http://www.criminalsmostly.com/~mandreko/cc.zip

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]