[unisog] 'bot file servers?

Jane DelFavero jane.delfavero at nyu.edu
Thu May 1 00:47:07 GMT 2003


Thanks to those who responded. We didn't get a chance to get a packet 
trace, but we know that it was not anything purposely installed by 
the machine's user.

The system owner did run fport, which showed a bunch of trojan 
SVCHOST.EXE processes running, along with a file called "LSASSC.EXE" 
and MsgSys.EXE. A quick googling picked up a trojan Symantec labels 
backdoor.xts:

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.xts.html

Apparently, this allows the hacker to drop whatever DLL they want and 
let it run as a service. We still haven't found the file serving 
component, though. If we track it down, I'll post the info. We also 
have not firmly identified the vulnerability that allowed the trojan 
to be dropped (although it may have been something simple, like a 
lame Admin password).

Best, Jane

At 16:01 -0700 4/30/03, Joe Pollock wrote:
>I don't think my first attempt reached the list because of HTML content.
>
>We just cleaned up a pair of classroom machines that were running Mirc.
>Upon being connected to a port, they would connect to an IRC RoboServ
>channel and start high-volume uploads and downloads.  From what I've
>seen, they were being remote-controlled.  I haven't had time to finish
>the analysis of the data I collected, but if you're interested please
>contact me off of the list and I'll send on what I've figured out.
>
>Joe Pollock
>Network Services
>The Evergreen State College
>
>-----Original Message-----
>From: Jane DelFavero [mailto:jane.delfavero at nyu.edu]
>Sent: Wednesday, April 30, 2003 1:47 PM
>To: unisog at sans.org
>Subject: [unisog] 'bot file servers?
>
>
>Hi all,
>
>We have come up against network behavior that I haven't encountered
>before, and I'd like to hear from anyone who has. We have a couple of
>machines which are pumping out large volumes of data, but it's not
>the normal P2P junk, or IRC, as far as we can see. There's an ICMP
>packet from a remote host, followed by a very large data transfer
>(about the size of an .avi movie file) via UDP back to that remote
>site.
>
>Is this a trojan or backdoor (or other application) that anyone's seen
>before?
>
>Thanks, Jane



More information about the unisog mailing list