Re: Can anyone identify this backdoor?

From: shawn merdinger (shawnmer@io.com)
Date: 07/11/02

• Previous message: David Jacoby: "Re: Can anyone identify this backdoor?"
• In reply to: Matt Andreko: "Can anyone identify this backdoor?"
• Next in thread: Erick Arturo Perez Huemer: "RE: Can anyone identify this backdoor?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 11 Jul 2002 03:06:51 -0500 (CDT)
From: shawn merdinger <shawnmer@io.com>
To: Matt Andreko <mandreko@ori.net>

Running strings on the file shows some interesting stuff.
:
1. Executables:

recycler\iissrvs.exe
recycler\nc.exe
info.exe
recycler\CMD.EXE
recycler\hk.exe
recycler\JAsfv.exe
recycler\tlist.exe

2. Files:

recycler\Localstart.cnf
recycler\iisl.dll
recycler\JAsfv.ini
recycler\JAsfv.dll

3. Commands?:

recycler\iis.dll- [ Espace Libre: %Dfree Mo ] - [ BP: %ServerKBps Kb/sec ]

Also, how were you able to conduct analysis on this executable? What
tools did you use? Do you have any resource suggestions for learning how
to do this type of analysis?

Thanks,

-scm

MA:Matt Andreko

MA>Apparently over the holiday, one of my client's machines was broken
MA>into. It was running Windows 2000 Pro, with IIS installed (webserver
MA>only, no ftp,smtp..) Apparently the attacker got in through this. The
MA>logs show some Unicode in the requests, so I'd bet that's it.
MA>
MA>A file was deposited in the c:\winnt\system32\ folder named "cc.exe". I
MA>have studied it a little bit, and it seems quite interesting. It's
MA>actually a winrar self-executable file. Inside contains what I believe
MA>a stripped down copy of serv-u ftp server, messages for that server, and
MA>some other interesting tools. There's a cmd.exe file, which doesn't
MA>match the size of the one in c:\winnt\system32, so it could be
MA>backdoored.
MA>
MA>I was basically wondering if anyone had seen anything like it, or could
MA>identify it. I have put a copy up temporarily on my webserver at
MA>http://www.criminalsmostly.com/~mandreko/cc.zip
MA>
MA>
MA>
MA>
MA>
MA>
MA>
MA>
MA>----------------------------------------------------------------------------
MA>This list is provided by the SecurityFocus ARIS analyzer service.
MA>For more information on this free incident handling, management
MA>and tracking system please see: http://aris.securityfocus.com
MA>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

---

• Previous message: David Jacoby: "Re: Can anyone identify this backdoor?"
• In reply to: Matt Andreko: "Can anyone identify this backdoor?"
• Next in thread: Erick Arturo Perez Huemer: "RE: Can anyone identify this backdoor?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > incidents  > 2002-07