[Dshield] kay.exe?

Jonathan G. Lampe jonathan at stdnet.com
Fri Aug 31 18:41:32 GMT 2001


I was wondering if anyone else has seen "kay.exe" used as part of any kind 
of toolkit?

My initial investigations suggest it is an older (1996) version of the NT 
cmd.exe, but I'm not sure why a hacker would try so hard to manually 
install kay.exe when he already had unfettered access to cmd.exe?

Was there some sort of Windows NT 4.0 cmd.exe security hole which was fixed 
by Service Pack 5 which forced this hacker to upload his version, is 
kay.exe a trojan of some sort or is this relatively inexperienced hacker 
just blindly following some (non-automated) script?

(If you want a copy of the kay.exe executable used, please email me 
directly at jonathan at stdnet.com!)

I pulled this from someone else's hacked box today:

11:00:25 192.168.0.1 GET 
/scripts/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 200
11:10:40 192.168.0.1 GET 
/scripts/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 200
11:15:49 192.168.0.1 GET 
/scripts/..%5c../..%5c../..%5c../winnt/system32/kay.exe 404
...
11:41:33 192.168.0.1 GET 
/scripts/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 200
11:43:12 192.168.0.1 GET 
/scripts/..%5c../..%5c../..%5c../winnt/system32/kay.exe 200
11:43:29 192.168.0.1 GET 
/scripts/..%5c../..%5c../..%5c../winnt/system32/kay.exe 200

- Jonathan Lampe, GCIA
- Standard Networks, 608-227-6100, jonathan at stdnet.com




More information about the list mailing list