[Dshield] Backdoor Coreflood?

Joe Stewart jstewart at lurhq.com
Tue Sep 9 21:18:06 GMT 2003

On Tuesday 09 September 2003 03:59 pm, Anu Nayar wrote:
> Help...Does anyone have any information on this???

It's probably the "Autoproxy" variant of Coreflood installed by the MS03-032
exploit, likely as a result of the Interland hack.

I have posted an analysis of it at http://www.lurhq.com/autoproxy.html

Also, if you would like to determine which hosts on your network are infected, 
you can use this Snort signature:

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Autoproxy Trojan control 
connection"; content: "|0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 41 75 74 6f 
70 72 6f 78 79 2f|"; reference:url,www.lurhq.com/autoproxy.html;  
classtype:trojan-activity; sid:1000028;  rev:1;)


Joe Stewart, GCIH 
Senior Security Researcher
LURHQ Corporation

More information about the list mailing list