OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: interesting file in NT server
From: Shadow Boxer (shadozeFREEWWWEB.COM)
Date: Wed May 24 2000 - 11:04:42 CDT

Volney Lustosa wrote:

> Hi friends,
>
> I am a brazilian trainee and i work in a university. Recently the system
> administrator found a suspect file in the temp directory of a NT server
> machine. Is a exe file that shut down and restarts the server when
> executed.
> Anyone knows how it could be there? Is it a file created by some
> microsoft program ?
>
> for the courageous i am sending a copy oh the file.
>
> ______________________
> ----------------------
> Volney Gadelha Lustosa
> vlustosatba.com.br
> ______________________
> ----------------------
>
> /"\
> \ / Campanha da fita ASCII - contra mail html
> X ASCII ribbon campaign - against html mail
> / \
>
> ------------------------------------------------------------------------
> Name: Gl_31.exe
> Gl_31.exe Type: unspecified type (application/octet-stream)
> Encoding: base64

I don't know of any program that would create a file like this. When you
mean it shuts down and restarts the server, do you mean it restarts IIS? Or
the entire system? If you mean IIS, this could (possibly) be a program put
there by a cgi hacker to help cover his tracks. If access was gained to your
system through cgi, the IIS logfiles would be impossible to delete, because
they are in use by the server. The only two ways that I can think of off the
top of my head, is to either shut down the server momentarily, or to change
the date of the system and then change it back. Yes I am jumping to
conclusions rather quickly, but I thought I'd volunteer my (limited)
knowledge of NT.