RE: forcdos.exe = serv-u....

From: Ross Lettau (r.lettau_at_uws.edu.au)
Date: 12/10/03

  • Next message: Dano: "Strange services.exe file"
    To: <craig@broadband-computers.com>, <forensics@securityfocus.com>, <incidents@securityfocus.com>
    Date: Wed, 10 Dec 2003 10:22:57 +1100
    
    

    Hi Craig,

    Another point to make, when you showed the directory listing, did you
    see that the files you mentioned had roughly the same time/date stamp

    e.g.

    08/12/2003 15:36 3,140 Rhododenron.bmp
    08/12/2003 15:37 913 Santa Fe Stucco.bmp

    I had once case recently where the hackers used a rootkit, the reason I
    knew this was that the files/directories were created at the same
    date/time.

    If you ever have a case like this again, it can sometimes help searching
    with windows search for files that were created/modified at the same
    date/time. I have previously picked up a lot more information (log
    files, chats) using this method....

    Just a suggestion.

    ____________________________________________

    Ross Lettau

    IT Security Administrator
    Information Technology Directorate
    University of Western Sydney

    Email : r.lettau@uws.edu.au

    -----Original Message-----
    From: Craig Broad [mailto:craig@broadband-computers.com]
    Sent: Tuesday, 9 December 2003 8:57 AM
    To: forensics@securityfocus.com; incidents@securityfocus.com
    Subject: forcdos.exe = serv-u....

    Hi All,

    Many thanks for all who responded!!

    The files have now been accessed and removed.

    In the end, knowing the path, we set up a ftp server on the box, with
    the root directory one level up from the com1 directory. only one file
    was visable which was Santa Fe Stucco.bmp. knowing there was at least
    one called forcdos.exe, this too was pulled, also another called
    Rhododenron.bmp (note spelling). the santa..file turned out to be a
    serv-u log file, which produced the names of 2 dll files,
    Rhododenron.bmp turned out to be a serv-u .ini file, which gave the
    warez group responsable, it defaulted to the 2 given ports ( in
    Rhododenron.bmp/serv-u/.ini), and gave a user list.

    The files base itself was in the old friend the recycler bin.

    also a second method to retrieve the files (cheers Axel) i later found
    out was to simply use CMD! cd straight into the directory under the
    com1 dir -
    and if needed attrib -h and copy to another directory. (easy when u
    know
    how,hi)

    file directory output:

    08/12/2003 21:51 <DIR> .
    08/12/2003 21:51 <DIR> ..
    27/10/2003 00:43 91 beldir.dll
    27/10/2003 00:43 772 belsnof.vxd
    27/10/2003 00:43 1,709 belsnon.vxd
    27/10/2003 00:43 24,096 crc.exe
    27/10/2003 00:44 35,840 kill.exe
    27/10/2003 00:45 675,840 libeay32.dll
    27/10/2003 00:45 34,304 pulist.exe
    27/10/2003 00:45 316 reg.reg
    08/12/2003 15:36 3,140 Rhododenron.bmp
    08/12/2003 15:37 913 Santa Fe Stucco.bmp
    27/10/2003 00:45 151,552 ssleay32.dll
    27/10/2003 00:45 36,864 tzolibr.dll
    27/10/2003 00:45 32,768 uptime.exe
    27/10/2003 00:45 50,688 vasrtc.dll
    27/10/2003 00:45 99 vasrtc.ini
    27/10/2003 00:45 57,856 vbsrtc.dll
    27/10/2003 00:45 105 vbsrtc.ini
                  18 File(s) 1,106,953 bytes

    anyhow.......

    again many thanks to all who helped.

    All file are available upon request.

    -----------
    Craig Broad

    ------------------------------------------------------------------------

    ---
    ------------------------------------------------------------------------
    ----
    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    

  • Next message: Dano: "Strange services.exe file"