Re: Can anyone identify this backdoor?

From: David Jacoby (dj@outpost24.com)
Date: 07/11/02


Date: Thu, 11 Jul 2002 12:26:18 +0200
From: David Jacoby <dj@outpost24.com>
To: "Matt Andreko" <mandreko@ori.net>

Hi!

Ive been checking the files you gave me, and is probally now a known backdoor. I think
its a little nifty package some kiddie hacker compiled.

The following files are:

cc.zip = This is the backdoor, packed with RAR i think. This file will extrace the
                        following files into c:\RECYCLER\ and install the backdoor.

hk.exe = NT exploit. This program will let you execute commands with the access as
                         the system. Its a spoofed LPC port request vulnerability. Read more here:
                         http://ciac.llnl.gov/ciac/bulletins/k-019.shtml.

CMD.exe = Command Prompt.

IISsrvs.exe = This is the Serv-U FTP daemon. It will read its configuration from the
                        localstart.cnf file. It will start the daemon on the port 1664. There are
                        one user added on the daemon and the login is "juliana" but i havent been
                        able to crack the password. The user got fille READ/WRITE/DELETE/EXECUTE
                        access to all the drives from C: D: E: :F G: H: . But somehow after a while
                        of checking this file the Serv-U daemon changed port to 43958

IIS.dll = Dont know (Probally some DLL used for starting the Serv-U via IIS services)
                        The IISsrvs.exe uses this file. The configuration script for the IISsrvs.exe contains
                        the following string: "SignOn = C:\recycler\iisl.dll"

IISL.dll = Dont know (Probally some DLL used for starting the Serv-U via IIS services)

JAsfv.dll = DLL used for the SFV checker.

JAsfv.exe = A SFV checker.

JAsfv.ini = Configurations script for the SFVcehcker

localstart.cnf = Configuration file for IISsrvs.exe.

nc.exe = NetCat, a file piping utility, You can bind programs to ports and alot more.
                        this is the real backdoor i think. I think this will bind cmd.exe to a specifik
                        port some how. But i made a portscan and just found the port 1664 open.

networketer.dll = Dont Know

PSkill.exe = This program will let the attacker/hacker/cracker to kill
                        processes running on the victim computer. Both local and remote.

ServuStartUpLog.txt This is a log file from the IISsrvs.exe. It will get the IP of
                        the machine, and tell the hacker/cracker/attacker that the service
                        is up and running.

Tlist.exe = This program will let the attacker/hacker/cracker to list processes
                        running on the victim computer from a command prompt.

I hope this information will help you.

Best regards

David Jacoby
Chief Hacker
Outpost24

http://www.outpost24.com
dj@outpost24.com

On Wed, 10 Jul 2002 16:58:06 -0500
"Matt Andreko" <mandreko@ori.net> wrote:

>Apparently over the holiday, one of my client's machines was broken
>into. It was running Windows 2000 Pro, with IIS installed (webserver
>only, no ftp,smtp..) Apparently the attacker got in through this. The
>logs show some Unicode in the requests, so I'd bet that's it.

>A file was deposited in the c:\winnt\system32\ folder named "cc.exe". I
>have studied it a little bit, and it seems quite interesting. It's
>actually a winrar self-executable file. Inside contains what I believe
>a stripped down copy of serv-u ftp server, messages for that server, and
>some other interesting tools. There's a cmd.exe file, which doesn't
>match the size of the one in c:\winnt\system32, so it could be
>backdoored.

>I was basically wondering if anyone had seen anything like it, or could
>identify it. I have put a copy up temporarily on my webserver at
>http://www.criminalsmostly.com/~mandreko/cc.zip

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com