OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: shawn merdinger (shawnmer_at_io.com)
Date: Thu Jul 11 2002 - 03:06:51 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Running strings on the file shows some interesting stuff.
    :
    1. Executables:

    recycler\iissrvs.exe
    recycler\nc.exe
    info.exe
    recycler\CMD.EXE
    recycler\hk.exe
    recycler\JAsfv.exe
    recycler\tlist.exe

    2. Files:

    recycler\Localstart.cnf
    recycler\iisl.dll
    recycler\JAsfv.ini
    recycler\JAsfv.dll

    3. Commands?:

    recycler\iis.dll- [ Espace Libre: %Dfree Mo ] - [ BP: %ServerKBps Kb/sec ]

    Also, how were you able to conduct analysis on this executable? What
    tools did you use? Do you have any resource suggestions for learning how
    to do this type of analysis?

    Thanks,

    -scm

    MA:Matt Andreko

    MA>Apparently over the holiday, one of my client's machines was broken
    MA>into. It was running Windows 2000 Pro, with IIS installed (webserver
    MA>only, no ftp,smtp..) Apparently the attacker got in through this. The
    MA>logs show some Unicode in the requests, so I'd bet that's it.
    MA>
    MA>A file was deposited in the c:\winnt\system32\ folder named "cc.exe". I
    MA>have studied it a little bit, and it seems quite interesting. It's
    MA>actually a winrar self-executable file. Inside contains what I believe
    MA>a stripped down copy of serv-u ftp server, messages for that server, and
    MA>some other interesting tools. There's a cmd.exe file, which doesn't
    MA>match the size of the one in c:\winnt\system32, so it could be
    MA>backdoored.
    MA>
    MA>I was basically wondering if anyone had seen anything like it, or could
    MA>identify it. I have put a copy up temporarily on my webserver at
    MA>http://www.criminalsmostly.com/~mandreko/cc.zip
    MA>
    MA>
    MA>
    MA>
    MA>
    MA>
    MA>
    MA>
    MA>----------------------------------------------------------------------------
    MA>This list is provided by the SecurityFocus ARIS analyzer service.
    MA>For more information on this free incident handling, management
    MA>and tracking system please see: http://aris.securityfocus.com
    MA>

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com