Re: Can anyone identify this possible backdoor?

From: Angelz (angel_at_dgtalstudios.com)
Date: 08/27/03

  • Next message: Toh Hong Kuan: "RE: lots of sobig virus emails."
    To: "Andrew McKnight" <Andrew.McKnight@clg.co.uk>, "Greg Owen" <gowen-incidents@swynwyr.com>
    Date: Wed, 27 Aug 2003 01:33:31 +0100
    
    

    --strings CowServer.exe | grep -i "Invalid"

    EInvalidOp
    EInvalidPointertq@
    EInvalidCast
    EInvalidOperation
    EInvalidGraphic4,A
    EInvalidGraphicOperation
    InvalidateRect

    --
    CowServer.exe doesn't appear to show that string, unless a future/different
    version of "CowServer.exe" has it, so it's unlikely that "CowServer.exe" is
    the program running on the machine.
    > 6) Again, I don't have physical access, so a standard forensic
    > investigation is unlikely.  Thus my asking.
    Do you have any access at all? If so, run FPortNG from
    http://www.securityfocus.com/data/tools/FPortNG.zip to identify what's
    listening on that port.
    Regards,
    Angelz
    ----- Original Message -----
    From: "Andrew McKnight" <Andrew.McKnight@clg.co.uk>
    To: "Greg Owen" <gowen-incidents@swynwyr.com>
    Cc: <incidents@securityfocus.com>
    Sent: Tuesday, August 26, 2003 4:52 PM
    Subject: RE: Can anyone identify this possible backdoor?
    Googling for 2001 gives Trojan Cow
    http://www.seifried.org/security/ports/2000/2001.html
    There's a description of how to determine an installation here
    http://www.trojanforge.net/showthread/t-4652.html
    Andy McKnight
    IT Guy.
    -----Original Message-----
    From: Greg Owen [mailto:gowen-incidents@swynwyr.com]
    Sent: 24 August 2003 01:51
    To: incidents@securityfocus.com
    Subject: Re: Can anyone identify this possible backdoor?
    Greg Owen wrote:
    > Investigating a machine which is spewing SoBig.F and may be compromised,
    > I'm seeing the following response on port 2001/tcp:
    >
    > % nc 192.168.5.89 2001
    >
    > <
    > > Unrecognized command or Invalid argument received
    > % nc 192.168.5.89 2001
    > helo
    > <helo> Unrecognized command or Invalid argument received
    > %
    Sorry, I should have been a bit more explicit.
    1) The command line above 'nc 192.168.5.89 2001' is me investigating,
    not anything running on or printed by the victim machine.  Netcat may or
    may not be in use on the victim machine, but that's not really my point;
    I'm wondering what is sending back the error message here (and it isn't
    netcat, I've grepped the source).
    2) The first time I connected, I hit 'return', at which point whatever
    is listening printed "<\n> Unrecognized command or Invalid argument
    received" where \n was an actual CRLF.
    3) The second time I connected, I typed 'helo' and hit 'return', at
    which point whatever is listening printed "<helo> Unrecognized..."
    4) 'helo' is SMTP, but that was just what I used to probe, on the off
    chance this might be a spam relay.  It should not be interpreted as
    meaning anything in identifying the listener.
    5) My point is, there's something there that spits back "<CMD>
    Unrecognized command or Invalid argument received" when it gets input it
    doesn't recognize.  Google doesn't show anything for that string, which
    makes it likely (to my mind) that it is some sort of backdoor that isn't
    widely available.  I'm curious if anyone has run across something that
    spits this string out, that's all.
    6) Again, I don't have physical access, so a standard forensic
    investigation is unlikely.  Thus my asking.
    --
             gowen -- Greg Owen -- gowen-incidents@swynwyr.com
             GCFA, GCIH, GCWN
             79A7 4063 96B6 9974 86CA  3BEF 521C 860F 5A93 D66D
    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
    October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
    technical IT security event.  Modeled after the famous Black Hat event in
    Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
    Symantec is the Diamond sponsor.  Early-bird registration ends September
    6.Visit us: www.blackhat.com
    ----------------------------------------------------------------------------
    ----------------------------------------------------------------------
    The information in this email is intended solely for the use of the
    individual or entity to whom it is addressed and may be legally
    privileged.  Access to this email by anyone else is unauthorised
    If you are not the intended recipient, any disclosure, copying,
    distribution or any action taken or omitted to be taken in reliance
    on it is prohibited and may be unlawful.  If you believe you
    have received this email in error please contact the
    sender.
    Any views expressed in this email do not necessarily represent
    those of Castle Leisure Group.
    Castle Leisure Group reserves the right to monitor and record
    e-mail messages sent to and from this address for the purposes
    of investigating or detecting any unauthorised use of its system
    and ensuring its effective operation.
    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
    October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
    technical IT security event.  Modeled after the famous Black Hat event in
    Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
    Symantec is the Diamond sponsor.  Early-bird registration ends September
    6.Visit us: www.blackhat.com
    ----------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
    October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
    technical IT security event.  Modeled after the famous Black Hat event in 
    Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
    Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
    ----------------------------------------------------------------------------
    

  • Next message: Toh Hong Kuan: "RE: lots of sobig virus emails."

    Relevant Pages

    • RE: Windows XP Pro cracker?
      ... Attend Black Hat Briefings & Training Federal, ... Modeled after the famous Black Hat event ... Symantec is the Diamond sponsor. ... Attend Black Hat Briefings & Training Federal, September 29-30, ...
      (Security-Basics)
    • RE: Windows XP Pro cracker?
      ... Attend Black Hat Briefings & Training Federal, ... Modeled after the famous Black Hat event ... Symantec is the Diamond sponsor. ...
      (Security-Basics)
    • RE: Windows XP Pro cracker?
      ... Attend Black Hat Briefings & Training Federal, ... Modeled after the famous Black Hat event ... Symantec is the Diamond sponsor. ... Attend Black Hat Briefings & Training Federal, September 29-30, ...
      (Security-Basics)
    • RE: A Canada based wardialer/hacker: +16045507000
      ... Attend Black Hat Briefings & Training Federal, September 29-30, ... Modeled after the famous Black Hat event in ... Symantec is the Diamond sponsor. ...
      (Incidents)
    • RE: Security on E-Commerce Websites
      ... Attend Black Hat Briefings & Training Federal, September 29-30, ... Modeled after the famous Black Hat event in ... Symantec is the Diamond sponsor. ...
      (Security-Basics)