RE: forcdos.exe, msagent directory, DOS or warez??

From: Meidinger Chris (
Date: 12/08/03

  • Next message: Meidinger Chris: "RE: forcdos.exe, msagent directory, DOS or warez??"
    To: "''" <>,
    Date: Mon, 8 Dec 2003 14:44:34 +0100 

    Hi Craig,

    i'm not 100% sure why you can't get a copy of the file. Is it not your
    machine, or what is the exact problem? Can you start a process on the
    machine? Can you ftp the file to yourself? Or send it over a netcat tunnel?
    Explain the problem, and i'm sure some clever person will have an idea for

    As far as finding out what the file is, there are many possibilities. First
    thing i usually would do is to run strings on it, and then google for those
    strings. The other first thing to do is to take an md5 sum of the file, and
    search for it on packetstorm ( They have an
    exploit/malware archive which you can also search by md5. Be sure to read up
    a bit on incident handling before you touch the box too much, assuming you
    want to document everything and keep it 'official.' Even if you are just
    checking it out for fun, it would still be a great exercise to practice IH.
    You would also probably find kevin mandia's book 'Incident Response' (i
    believe it's from McGraw Hill Press) very interesting. He explains very well
    how to preserve volatile data, and properly do a live response on a live

    If you have any more questions, don't hesitate to ask,

    Chris Meidinger

    -----Original Message-----
    From: Craig Broad []
    Sent: Friday, December 05, 2003 12:53 AM
    Subject: forcdos.exe, msagent directory, DOS or warez??

    Hi all,

    on a box recently moved to a managed network rack (GX networks), over the
    last 2 weeks we have noticed strange behaviour. One of the box's on the
    subnet has been maxing out the link's bandwidth, on further investigation,
    massive activity was found on ports 63501, 63502, 1734 and other high range
    ports. The behaviour was at least 8 hours of fully limiting output, and
    then up to 8 hours of normal level operation and then a return to full
    output. at least ever 3 cycles, there would be a upload to the server at a
    limit of abt 512kbps.

    using a sniffer (netprobe) the ports were identified, and using fport these
    were all linked to a executable called forcdos.exe. i have searched all
    search engines, and have seen not one single link, so i'm assuming it's
    something else renamed. The files has been placed in
    C:\winnt\system32\msagent\local\com1\server directory. We are assuming at
    this time it has come in via some SQL exploit. it look's as a full backdoor
    access has been achieved. Due to the non-local nature of the box, and the
    com1 directory name, we have crrently been unable to access the directory to
    retrieve the exe file.

    The box has been locked down with the windows inbuilt firewall, locking all
    tcpip ports not needed. the exe is still running within the computer, but
    is currently unable to get out of the box.

    Firstly does anyone have any advice on how to get to this exe file? I dont
    want to just posix rd it, as i want to see the file first, and secondly does
    anyone have any idea what this could be? DOS or Warez?

    many thanks for any advice. if anyone can suggest how to get to the file,
    we will make it available for analysis.

    Craig Broad



  • Next message: Meidinger Chris: "RE: forcdos.exe, msagent directory, DOS or warez??"