Re: Can anyone identify this possible backdoor?
From: Greg Owen (gowen-incidents_at_swynwyr.com)
Date: 08/24/03
- Previous message: Pete Phillips: "Re: Sobig.F style email with no attachments"
- In reply to: Greg Owen: "Can anyone identify this possible backdoor?"
- Next in thread: Schmehl, Paul L: "RE: Can anyone identify this possible backdoor?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 23 Aug 2003 20:51:05 -0400 To: incidents@securityfocus.com
Greg Owen wrote:
> Investigating a machine which is spewing SoBig.F and may be compromised,
> I'm seeing the following response on port 2001/tcp:
>
> % nc 192.168.5.89 2001
>
> <
> > Unrecognized command or Invalid argument received
> % nc 192.168.5.89 2001
> helo
> <helo> Unrecognized command or Invalid argument received
> %
Sorry, I should have been a bit more explicit.
1) The command line above 'nc 192.168.5.89 2001' is me investigating,
not anything running on or printed by the victim machine. Netcat may or
may not be in use on the victim machine, but that's not really my point;
I'm wondering what is sending back the error message here (and it isn't
netcat, I've grepped the source).
2) The first time I connected, I hit 'return', at which point whatever
is listening printed "<\n> Unrecognized command or Invalid argument
received" where \n was an actual CRLF.
3) The second time I connected, I typed 'helo' and hit 'return', at
which point whatever is listening printed "<helo> Unrecognized..."
4) 'helo' is SMTP, but that was just what I used to probe, on the off
chance this might be a spam relay. It should not be interpreted as
meaning anything in identifying the listener.
5) My point is, there's something there that spits back "<CMD>
Unrecognized command or Invalid argument received" when it gets input it
doesn't recognize. Google doesn't show anything for that string, which
makes it likely (to my mind) that it is some sort of backdoor that isn't
widely available. I'm curious if anyone has run across something that
spits this string out, that's all.
6) Again, I don't have physical access, so a standard forensic
investigation is unlikely. Thus my asking.
--
gowen -- Greg Owen -- gowen-incidents@swynwyr.com
GCFA, GCIH, GCWN
79A7 4063 96B6 9974 86CA 3BEF 521C 860F 5A93 D66D
---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
technical IT security event. Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------
- Previous message: Pete Phillips: "Re: Sobig.F style email with no attachments"
- In reply to: Greg Owen: "Can anyone identify this possible backdoor?"
- Next in thread: Schmehl, Paul L: "RE: Can anyone identify this possible backdoor?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
