[unisog] Re: Mysterious appearance of Backdoor.RA on Win2K machines

Peter Van Epp vanepp at sfu.ca
Thu Dec 13 19:25:27 GMT 2001


> 
> Yes, we've seen another instance of a similar nature, only when we look at any
> files modified and/or created on the date and time that we know the machine was
> compromised and we see nothing!  I was just referred to FportNG
> (http://www.foundstone.com/rdlabs/tools.php?category=Forensic)
> 
> which will hopefully show us what exactly is still causing problems (rogue FTP
> server running on port 10000, to which we cannot trace!)
> 
> Jeff
> 
> "Stephen W. Thompson" wrote:
> 
> > Here's another indication that there is some vector for infection or
> > intruding into NT/Win2k machines active on the net which hasn't been
> > publicized yet.
> >
<snip>

	We need to find one of these at an institution running argus (I 
unfortunatly haven't heard of any yet). With an argus log you can dump the 
log of the machine and time in question and see what accesses there were 
(assuming the exploit is remote as is likely). You should see something (even if
it is only a "normal" web access or email being fetched) that would give you 
some kind of a clue as to what the infection vector is. Searching back for the 
first instance of the ftp server on the odd port may give you a different (but 
more accurate) time of infection and vector as well since the appearance of the
ftp server should be near the infection point (and as always having history is 
wonderful when looking after the fact :-) ...).

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada



More information about the unisog mailing list