[unisog] Re: Mysterious appearance of Backdoor.RA on Win2K machines

Jeff Bollinger jeff01 at email.unc.edu
Mon Dec 17 15:19:29 GMT 2001


I finally received the results of the Foundstone scan and noted this:

1064  lsass          ->  10000 TCP   c:\WINNT\system32\os2\dll\_tmp\lsass.exe

This is the port that we could connect to the FTP server on.  I found this link that
may help to explain what happened:

http://www.guninski.com/dr07.html

Looks like it could have been an old exploit.

Jeff

Peter Van Epp wrote:

> >
> > Yes, we've seen another instance of a similar nature, only when we look at any
> > files modified and/or created on the date and time that we know the machine was
> > compromised and we see nothing!  I was just referred to FportNG
> > (http://www.foundstone.com/rdlabs/tools.php?category=Forensic)
> >
> > which will hopefully show us what exactly is still causing problems (rogue FTP
> > server running on port 10000, to which we cannot trace!)
> >
> > Jeff
> >
> > "Stephen W. Thompson" wrote:
> >
> > > Here's another indication that there is some vector for infection or
> > > intruding into NT/Win2k machines active on the net which hasn't been
> > > publicized yet.
> > >
> <snip>
>
>         We need to find one of these at an institution running argus (I
> unfortunatly haven't heard of any yet). With an argus log you can dump the
> log of the machine and time in question and see what accesses there were
> (assuming the exploit is remote as is likely). You should see something (even if
> it is only a "normal" web access or email being fetched) that would give you
> some kind of a clue as to what the infection vector is. Searching back for the
> first instance of the ftp server on the odd port may give you a different (but
> more accurate) time of infection and vector as well since the appearance of the
> ftp server should be near the infection point (and as always having history is
> wonderful when looking after the fact :-) ...).
>
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada

--
Jeff Bollinger
University of North Carolina
IT Security Analyst
105 Abernethy Hall
mailto: jeff_bollinger at unc dot edu




More information about the unisog mailing list