[unisog] Re: Mysterious appearance of Backdoor.RA on Win2K machines

Jeff Bollinger jeff01 at email.unc.edu
Thu Dec 13 15:08:55 GMT 2001

Yes, we've seen another instance of a similar nature, only when we look at any
files modified and/or created on the date and time that we know the machine was
compromised and we see nothing!  I was just referred to FportNG

which will hopefully show us what exactly is still causing problems (rogue FTP
server running on port 10000, to which we cannot trace!)


"Stephen W. Thompson" wrote:

> Here's another indication that there is some vector for infection or
> intruding into NT/Win2k machines active on the net which hasn't been
> publicized yet.
> This from another of our sysadmins:
> >  Greetings. Yesterday, for the first time since I setup this server in
> > October, 1999, the Norton Antivirus Server Real time program caught a
> > virus. It quarteened
> > the Goner virus which I subsequently deleted, then ran a manual scan
> > afterward.(A scheduled scan runs every night and has never located a
> > virus.)
> >
> >  The mystery is, I have no idea how this could have been transmitted to
> > the server!
> > Although our NT server has Outlook and IE installed, the former is not
> > configured and neither is used. I was doing no file copying at the time
> > of the attack.Nor did any of my users admit to copying anything to the
> > effected folder at the time of infection.
> >
> >  I have gone to each workstation and checked their quaranteen folder and
> > Virus History - nothing for yesterday! Moreover, my users are always
> > being told about safe attachment opening techniques, and no one came
> > forward to say they were involved. Moreover, they would have had to save
> > the attachment to disk (a server shared common
> > folder) while they had the Virus warning screen up, which they can't
> > background - not really likely. All there Virus scanner were enabled
> > with the latest Virus definitions.
> >
> >  Is there another entry point for this virus other than e-mail? What
> > should I be checking?
> [and same sysadmin, in another message:]
> >  If it was copied from a workstation, I would think there would have
> > been a trace of the virus on the workstation. I checked the Virus
> > history and Quaranteen for each workstation. There were no viruses
> > detected that day on ANY workstation, and no Goner virus on any day. (I
> > don't have the managed version of Norton on the server, just the regular
> > version, so It wouldn't tell me from which machine the virus was copied,
> > if it was copied!)
> >
> >  The virus ended up on a folder beneath a shared server folder. All of
> > my users would have access to this folder, even student workers.
> Earlier bits of this thread:
> Rita Seplowitz Saltz <rita at Princeton.EDU>
> > This week, two different departments here reported discovering Backdoor.RA,
> > a component of the package Remote Anything, running on a Windows 2000 system
> > without having been installed by the responsible parties.  Both machines are
> > phsyically secured, and those with access have disclaimed responsibility for
> > installing the item.  In each case, the presence of Backdoor.RA was
> > discovered when, exploring problems with the machine, the user scanned the
> > Task Manager list and noted a process called Slave.exe running.
> >
> > It appears that the instances were remote installs.  Anyone know of an
> > exploit or apres-virus vulnerability which involves remote installation of
> > Backdoor.RA?
> I wrote in reply about a different case than today's:
> > What drew attention to the machines initially?  A group here had an
> > NT4 box which unexpectedly was missing many files normally found on a
> > healthy install.  Little investigation could be done before the group
> > reformatted and started over.  Probably unrelated, but...
> And later, also from Rita Seplowitz Saltz <rita at Princeton.EDU>, quoting
> a sysadmin:
> > The first person to report the discovery was having slow performance from
> > Internet Explorer, and also his task bar froze sporadically.  He does not
> And quoting another of her syadmins:
> > "On the day I was hacked, there were 3 backdoor.trojan files quarantined on
> > my system -- around the same time other suspicious files were created.  I
> > have absolutely no idea how the slave program was implanted on my server.
> > Once the attacker gained control over the server, an ftp service (ServU) was
> > installed in c:\winnt\fonts\truetype.  About 60 Gig of information was
> > stored on D:\recycler\dumpsite.  I deleted D:\recycler\dumpsite and was able
> > to uninstall slave and the ftp service."
> And more info she gives:
> > I've just heard from the first fellow again.  I shared an alert with the
> > distributed computing support list a short while ago (which turned up the
> > second instance).  His deputy director, who is on that mailing list, found a
> > copy on his own machine and is in the process of checking workstations of
> > other VIP staff in the unit.  It apparently installs silently.  Now the
> > question is:  how?!
> lbuchana at csc.com wrote:
> > In an earlier private email to Rita, I noted that I had found a machine
> > with RemotelyAnywhere on it.  The manner in which it was discovered was by
> > our IDS detecting it attacking another part of our organization.  I can't
> > share many details as there may be an ongoing criminal investigation.  The
> > method used to attack the machine I looked at was different than the attack
> > the IDS noticed.
> Jeff Bollinger <jeff01 at email.unc.edu> wrote:
> > Yes, we have seen this as well.  Note that the Trojan installs s32.exe and
> > the servuFTP.  No idea though as to how it got in yet.
> En paz,
> Steve, security analyst
> --
> Stephen W. Thompson, UPenn, ISC Information Security, 215-898-1236, WWW has PGP
> thompson at isc.upenn.edu    URL=http://pobox.upenn.edu/~thompson/index.html
>   For security matters, use security at isc.upenn.edu, read by InfoSec staff
>    * OPEN LETTER: http://pobox.upenn.edu/~thompson/considered-war.html *

Jeff Bollinger
University of North Carolina
IT Security Analyst
105 Abernethy Hall
mailto: jeff_bollinger at unc dot edu

More information about the unisog mailing list