[AG-TECH] possible backdoor attack.

Osland, CD (Chris) C.D.Osland at rl.ac.uk
Mon Feb 2 03:29:37 CST 2004


Can I ask for clarification on this?

Is the presence of those directories, with MUI containing loads
of folders with one or more DLLs, indicative of an attack, or
is that the normal situation?

The MUI folder that had anything in it on my machine showed
it had about 5 Mb used (from Properties) which seems reasonable
for a pile of DLLs, and unlikely to be sufficient for a warehouse
full of undesirable content (says he choosing words carefully!).

Any assistance gratefully received.

Cheers

Chris

____________________________________________________________________
Chris Osland                                               Office tel: +44
(0) 1235 446565
Digital Media and Access Grid                          Medialab tel: +44 (0)
1235 446459
BIT Department                                     Access Grid room tel: +44
(0) 1235 445666
e-mail:   C.D.Osland at rl.ac.uk                                       Fax: +44
(0) 1235 445597
CLRC Rutherford Appleton Laboratory (Bldg. R18)
Chilton, DIDCOT, Oxon OX11 0QX, UK
[The contents of this email are confidential and are for the use of the
intended recipient only.
If you are not the intended recipient do not take any action on it or show
it to anyone else,
but return this email to the sender and delete your copy of it.]





> -----Original Message-----
> From: Don Lewis [mailto:djlewis at ualr.edu]
> Sent: 31 January 2004 01:08
> To: ag-tech; darin; Robert Olson
> Subject: [AG-TECH] possible backdoor attack.
> 
> 
> Please look into your Windows 2k and windows XP computers
> WINNT/SYSTEM32 folders and look for these three folders,
> 
> NNP ' a normal network monitor and trace folder.
> MUI  ' a Multi-User Interface folder
> OS2
> 
> We have found these folders with a dameware installed
> which we believe came just before we blocked port 6129
> per a Sans.Org alert.
> 
> The infiltrators are setting up ftp servers with dvd movies, 
> porn, music and 
> programs. The dameware gathers a great deal of information
> about the network.
> I realize this description is vague but we just ran across it.
> Having all the latest Windows security, servicepaks etc 
> installed did not 
> prevent it as best we know. For the weekend we are trying to turn off
> all nonessential computers.
>  
> Hopefully this will not be a problem for the AG community.
> 
> Thank you for your time,
> Don Lewis
> 
> 
> 
> In MUI there may be many or few numbered folders. Inside these folders
> may be a series of repeatable DLL's
> EXPIRExx.dll or something like that.
> NNP
> 
> >===== Original Message From Robert Olson <olson at mcs.anl.gov> =====
> >If you send me your client logfile:
> >
> >\Documents and Settings\<user>\Application 
> Data\AccessGrid\venueclient.log
> >
> >I'll take a look and see what I can see. If you moved things 
> around in the
> >certRepo dir you've likely caused problems, yes. If you did 
> that, remove
> >the certREpo dir and try the import again.
> >
> >--bob
> >
> >At 02:36 PM 1/30/2004, Darin Oman wrote:
> >>I get this error when I try to import a certificate on a 
> Windows machine.
> >>The cert has been exported from Linux. I tried moving 
> various certs and
> >>.pem files around, so I probably screwed things up even 
> worse, but I still
> >>get the same error. Any ideas?
> >>
> >>Thanks,
> >>Darin
> 
> Don Lewis
> Senior Computer Specialist
> Graduate Institute of Technology
> ETAS 335A, 2801 South University Avenue
> University of Arkansas at Little Rock 72204
> (501) 569-8016 fax: (501) 569-8039
> djlewis at ualr.edu
> 



More information about the ag-tech mailing list