[AG-TECH] possible backdoor attack.

Don Lewis djlewis at ualr.edu
Mon Feb 2 10:17:59 CST 2004


Good checking Chris, 
The more languages are installed for Explorer the more folders. 
up to and around the 5Meg mark is normal.
 
In our case two of the computers had a large amount in the two 
folders. I will try and get you more specific info.
 After the dust has settled somewhat.
 
Perhaps it was just our site that was hacked. I don't see it 
on our AG Display computer. And so far it is beginning 
to look like a soft admin password was the backdoor.

 
Thank you.   
Don Lewis

>===== Original Message From "Osland, CD (Chris) " <C.D.Osland at rl.ac.uk> =====
>Can I ask for clarification on this?
>
>Is the presence of those directories, with MUI containing loads
>of folders with one or more DLLs, indicative of an attack, or
>is that the normal situation?
>
>The MUI folder that had anything in it on my machine showed
>it had about 5 Mb used (from Properties) which seems reasonable
>for a pile of DLLs, and unlikely to be sufficient for a warehouse
>full of undesirable content (says he choosing words carefully!).
>
>Any assistance gratefully received.
>
>Cheers
>
>Chris
>
>____________________________________________________________________
>Chris Osland                                               Office tel: +44
>(0) 1235 446565
>Digital Media and Access Grid                          Medialab tel: +44 (0)
>1235 446459
>BIT Department                                     Access Grid room tel: +44
>(0) 1235 445666
>e-mail:   C.D.Osland at rl.ac.uk                                       Fax: +44
>(0) 1235 445597
>CLRC Rutherford Appleton Laboratory (Bldg. R18)
>Chilton, DIDCOT, Oxon OX11 0QX, UK
>[The contents of this email are confidential and are for the use of the
>intended recipient only.
>If you are not the intended recipient do not take any action on it or show
>it to anyone else,
>but return this email to the sender and delete your copy of it.]
>
>
>
>
>
>> -----Original Message-----
>> From: Don Lewis [mailto:djlewis at ualr.edu]
>> Sent: 31 January 2004 01:08
>> To: ag-tech; darin; Robert Olson
>> Subject: [AG-TECH] possible backdoor attack.
>>
>>
>> Please look into your Windows 2k and windows XP computers
>> WINNT/SYSTEM32 folders and look for these three folders,
>>
>> NNP ' a normal network monitor and trace folder.
>> MUI  ' a Multi-User Interface folder
>> OS2
>>
>> We have found these folders with a dameware installed
>> which we believe came just before we blocked port 6129
>> per a Sans.Org alert.
>>
>> The infiltrators are setting up ftp servers with dvd movies,
>> porn, music and
>> programs. The dameware gathers a great deal of information
>> about the network.
>> I realize this description is vague but we just ran across it.
>> Having all the latest Windows security, servicepaks etc
>> installed did not
>> prevent it as best we know. For the weekend we are trying to turn off
>> all nonessential computers.
>>
>> Hopefully this will not be a problem for the AG community.
>>
>> Thank you for your time,
>> Don Lewis
>>
>>
>>
>> In MUI there may be many or few numbered folders. Inside these folders
>> may be a series of repeatable DLL's
>> EXPIRExx.dll or something like that.
>> NNP
>>
>> >===== Original Message From Robert Olson <olson at mcs.anl.gov> =====
>> >If you send me your client logfile:
>> >
>> >\Documents and Settings\<user>\Application
>> Data\AccessGrid\venueclient.log
>> >
>> >I'll take a look and see what I can see. If you moved things
>> around in the
>> >certRepo dir you've likely caused problems, yes. If you did
>> that, remove
>> >the certREpo dir and try the import again.
>> >
>> >--bob
>> >
>> >At 02:36 PM 1/30/2004, Darin Oman wrote:
>> >>I get this error when I try to import a certificate on a
>> Windows machine.
>> >>The cert has been exported from Linux. I tried moving
>> various certs and
>> >>.pem files around, so I probably screwed things up even
>> worse, but I still
>> >>get the same error. Any ideas?
>> >>
>> >>Thanks,
>> >>Darin
>>
>> Don Lewis
>> Senior Computer Specialist
>> Graduate Institute of Technology
>> ETAS 335A, 2801 South University Avenue
>> University of Arkansas at Little Rock 72204
>> (501) 569-8016 fax: (501) 569-8039
>> djlewis at ualr.edu
>>

Don Lewis
Senior Computer Specialist
Graduate Institute of Technology
ETAS 335A, 2801 South University Avenue
University of Arkansas at Little Rock 72204
(501) 569-8016 fax: (501) 569-8039
djlewis at ualr.edu




More information about the ag-tech mailing list