|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Trojan found...
From: Les Ault (aultl
comcast.net)
Date: Tue Apr 15 2003 - 19:24:49 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Whilst patching my webserver this morning I found the following files in the root directory of my webserver.
Has anyone seen this trojan before? I have done some googling and checked the securityfocus website with no luck.
It appears to use the unicode IIS exploit. I only got hit because I just re-installed IIS yesterday :), needless to say the
trojan did not execute as I have done some very basic checking and no registry keys have been created and the folder the trojan installed to was never created. I found it approximately 30 minutes after it was downloaded, according to the file time stamp.
C:\test.scr
C:\tests.scr
C:\tesst.scr
C:\sysnet32.exe
All of the .scr files are FTP command files, i.e. contain a ftp server address , username, password, and command to download a file.
I have the downloaded file, (sysnet32.exe), but it was never executed. It is a self-extracting rar file. I say it has never executed because contained
in the rar file is a .reg file that adds the trojan to the HKLM\Software\Microsoft\Windows\CurrentVersion\Run key and that key is empty.
The folder that that registry entry points to does not exist either. Also contained in the rar file is a txt file that lists users and which groups to add them to, none of these users exist on the system. Server is currently running fully patched Win2k Advanced Server with IIS 5.0 (patched now...).
If anyone has had experience with this trojan of knows where I can find info on it I would be greatful.
Les Ault
aultlcomcast.net
2003-04-15
----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts. The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches. Deadline for the best rates is April 25. Register today to
ensure your place. http://www.securityfocus.com/BlackHat-incidents
----------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]