('binary' encoding is not supported, stored as-is) Several weeks ago I left a msg about a compromise of a Win2K Advanced
Server system. The system was attacked by Chinese (and other) attackers.
I've written up a document on this incident and include links to some of
the tools that were found on the server.

The documents can be found at the Netw3 Security Research web site at
http://www.netw3.com. The most recent HTML document in the reading room is
what you will want to view, as it has links to the attacker tools that
were found, or you can view the document directly at
http://www.netw3.com/documents/win2k_attack_chinese.htm

PipeCmdSrv.exe was found on the system, which is the server side component
of PipeCmd.exe, which runs with NtCmd.exe on the attacking client.
PipeCmd.exe comes in the Fluxay attack toolkit (which has also been called
an auto-rooter), but PipeCmdSrv.exe does not appear to be publicly
available from what I have seen so far. A translated link from a Chinese
hacker web site is included in the report that discusses the use of the
PipeCmd.exe and PipeCmdSrv.exe tools. I was somewhat suprised to find no
reference to these tools on the usual array of security sites
(packetstorm, etc.) but I suppose one can't account for everything out
there.

Antivirus companies and other malware detectors may want to obtain the
PipeCmd tools from the Netw3.com site and generate product signatures.

Curt Wilson
Netw3 Security Research
netw3netw3.com (my normal mailbox at premis.lod.com appears to be down)

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]