|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
incidents-help_at_securityfocus.com
Date: Sat Aug 03 2002 - 05:46:10 CDT
Hi! This is the ezmlm program. I'm managing the
incidents
securityfocus.com mailing list.
I'm working for my owner, who can be reached
at incidents-ownersecurityfocus.com.
Messages to you from the incidents mailing list seem to
have been bouncing. I sent you a warning message, but it bounced.
I've attached a copy of the bounce message.
This is a probe to check whether your address is reachable. If this
probe bounces, I will remove your address from the
incidentssecurityfocus.com mailing list, without further notice.
You can re-subscribe by sending a message to this address:
<incidents-subscribesecurityfocus.com>
--- Enclosed is a copy of the bounce message I received.
Return-Path: <>
Received: (qmail 9884 invoked from network); 22 Jul 2002 19:47:42 -0000
Received: from unknown (HELO securityfocus.com) (66.38.151.9)
by lists.securityfocus.com with SMTP; 22 Jul 2002 19:47:42 -0000
Received: (qmail 9457 invoked by alias); 22 Jul 2002 19:45:10 -0000
Received: (qmail 9440 invoked from network); 22 Jul 2002 19:45:08 -0000
by mail.securityfocus.com with SMTP; 22 Jul 2002 19:45:08 -0000
id 4F6E4180D0; Mon, 22 Jul 2002 14:53:35 -0500 (CDT)
Date: Mon, 22 Jul 2002 14:53:35 -0500 (CDT)
Subject: Undelivered Mail Returned to Sender
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
This is a MIME-encapsulated message.
Content-Description: Notification
Content-Type: text/plain
I'm sorry to have to inform you that the message returned
below could not be delivered to one or more destinations.
For further assistance, please send mail to <postmaster>
If you do so, please include this problem report. You can
delete your own text from the message returned below.
The Postfix program
/home/httpd/archives-mbox/current.mbox: error writing message: File too
large
Content-Description: Delivery error report
Content-Type: message/delivery-status
Arrival-Date: Mon, 22 Jul 2002 14:53:34 -0500 (CDT)
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; cannot append message to destination file
/home/httpd/archives-mbox/current.mbox: error writing message: File too
large
Content-Description: Undelivered Message
Content-Type: message/rfc822
Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19])
Received: (qmail 9782 invoked by alias); 22 Jul 2002 19:47:34 -0000
Mailing-List: contact incidents-helpsecurityfocus.com; run by ezmlm
Date: 22 Jul 2002 19:47:34 -0000
Message-ID: <1027367254.9758.ezmlm-warnsecurityfocus.com>
From: incidents-helpsecurityfocus.com
Content-type: text/plain; charset=us-ascii
Subject: ezmlm warning
Hi! This is the ezmlm program. I'm managing the
incidentssecurityfocus.com mailing list.
I'm working for my owner, who can be reached
at incidents-ownersecurityfocus.com.
Messages to you from the incidents mailing list seem to
have been bouncing. I've attached a copy of the first bounce
message I received.
If this message bounces too, I will send you a probe. If the probe bounces,
I will remove your address from the incidents mailing list,
without further notice.
I've kept a list of which messages from the incidents mailing list have
bounced from your address.
Copies of these messages may be in the archive.
To retrieve a set of messages 123-145 (a maximum of 100 per request),
send an empty message to:
<incidents-get.123_145securityfocus.com>
To receive a subject and author list for the last 100 or so messages,
send an empty message to:
<incidents-indexsecurityfocus.com>
Here are the message numbers:
3679
3690
3681
3686
3688
3689
3685
3692
3680
3691
3687
3684
3682
3683
3698
3694
3697
3693
3695
3696
3699
3700
3702
3701
3703
3704
3705
3706
3708
3707
3711
3709
3710
3712
3713
3714
3715
3716
3717
3718
3719
3720
3721
3722
3723
3724
3725
3726
3727
3729
3728
3730
3732
3731
3733
3734
3735
3737
3736
3738
3739
3740
3741
3742
3743
3744
--- Enclosed is a copy of the bounce message I received.
Return-Path: <>
Received: (qmail 31734 invoked from network); 11 Jul 2002 00:18:42 -0000
Received: from unknown (HELO securityfocus.com) (66.38.151.9)
by lists.securityfocus.com with SMTP; 11 Jul 2002 00:18:42 -0000
Received: (qmail 13763 invoked by alias); 11 Jul 2002 00:15:05 -0000
Received: (qmail 13759 invoked from network); 11 Jul 2002 00:15:05 -0000
by mail.securityfocus.com with SMTP; 11 Jul 2002 00:15:05 -0000
id 5C51A17BFE; Wed, 10 Jul 2002 19:21:59 -0500 (CDT)
Date: Wed, 10 Jul 2002 19:21:59 -0500 (CDT)
Subject: Undelivered Mail Returned to Sender
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
This is a MIME-encapsulated message.
Content-Description: Notification
Content-Type: text/plain
I'm sorry to have to inform you that the message returned
below could not be delivered to one or more destinations.
For further assistance, please send mail to <postmaster>
If you do so, please include this problem report. You can
delete your own text from the message returned below.
The Postfix program
/home/httpd/archives-mbox/current.mbox: error writing message: File too
large
Content-Description: Delivery error report
Content-Type: message/delivery-status
Arrival-Date: Wed, 10 Jul 2002 19:21:59 -0500 (CDT)
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; cannot append message to destination file
/home/httpd/archives-mbox/current.mbox: error writing message: File too
large
Content-Description: Undelivered Message
Content-Type: message/rfc822
Received: from outgoing.securityfocus.com (outgoing3.securityfocus.com [66.38.151.27])
Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19])
by outgoing.securityfocus.com (Postfix) with QMQP
id DA140A3A47; Wed, 10 Jul 2002 16:46:50 -0600 (MDT)
Mailing-List: contact incidents-helpsecurityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <incidents.list-id.securityfocus.com>
List-Post: <mailto:incidentssecurityfocus.com>
List-Help: <mailto:incidents-helpsecurityfocus.com>
List-Unsubscribe: <mailto:incidents-unsubscribesecurityfocus.com>
List-Subscribe: <mailto:incidents-subscribesecurityfocus.com>
Delivered-To: mailing list incidentssecurityfocus.com
Delivered-To: moderator for incidentssecurityfocus.com
Received: (qmail 25799 invoked from network); 10 Jul 2002 21:54:19 -0000
From: "Matt Andreko" <mandrekoori.net>
To: <incidentssecurityfocus.com>
Subject: Can anyone identify this backdoor?
Date: Wed, 10 Jul 2002 16:58:06 -0500
Message-ID: <026601c2285c$df572dd0$173625d8ori.net>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.3416
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Apparently over the holiday, one of my client's machines was broken
into. It was running Windows 2000 Pro, with IIS installed (webserver
only, no ftp,smtp..) Apparently the attacker got in through this. The
logs show some Unicode in the requests, so I'd bet that's it.
A file was deposited in the c:\winnt\system32\ folder named "cc.exe". I
have studied it a little bit, and it seems quite interesting. It's
actually a winrar self-executable file. Inside contains what I believe
a stripped down copy of serv-u ftp server, messages for that server, and
some other interesting tools. There's a cmd.exe file, which doesn't
match the size of the one in c:\winnt\system32, so it could be
backdoored.
I was basically wondering if anyone had seen anything like it, or could
identify it. I have put a copy up temporarily on my webserver at
http://www.criminalsmostly.com/~mandreko/cc.zip
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]