Followup: [AG-TECH] possible backdoor attack.

Don Lewis djlewis at ualr.edu
Mon Feb 2 11:52:02 CST 2004


This hack uses the c:\Recycler and C:\System Info Properties
folders to hide FTP material. IF one has emptied their
trash  then by going into Windows Explorer,
Right Click on the 'Recycler' folder and look at the size.
(The hidden FTP files size is hidden if you look through the
desktop Recycler properties). An empty Recycler folder
has less than 20K bytes.
  Secondly, while using Windows Explorer Right click on
the System ... Information folder and look at the size.
It to should be relatively small. In our instance a Folder
was created here and masked from being seen. It does have
'Control Panel' in the name string.

note: both of these folders are at the root level of your windows drive.

Thanks to Greg Browning for discovering this info.
If I have confused or otherwise made matters worse then 
please contact us.

Thank you,
Don Lewis

Old info below:

Please look into your Windows 2k and windows XP computers
WINNT/SYSTEM32 folders and look for these three folders,

NNP ' a normal network monitor and trace folder.
MUI  ' a Multi-User Interface folder
OS2

We have found these folders with a dameware installed
which we believe came just before we blocked port 6129
per a Sans.Org alert.

The infiltrators are setting up ftp servers with dvd movies, porn, music and
programs. The dameware gathers a great deal of information
about the network.
I realize this description is vague but we just ran across it.
Having all the latest Windows security, servicepaks etc installed did not
prevent it as best we know. For the weekend we are trying to turn off
all nonessential computers.

Hopefully this will not be a problem for the AG community.

Thank you for your time,
Don Lewis



In MUI there may be many or few numbered folders. Inside these folders
may be a series of repeatable DLL's
EXPIRExx.dll or something like that.
NNP

>===== Original Message From Robert Olson <olson at mcs.anl.gov> =====
>If you send me your client logfile:
>
>\Documents and Settings\<user>\Application Data\AccessGrid\venueclient.log
>
>I'll take a look and see what I can see. If you moved things around in the
>certRepo dir you've likely caused problems, yes. If you did that, remove
>the certREpo dir and try the import again.
>
>--bob
>
>At 02:36 PM 1/30/2004, Darin Oman wrote:
>>I get this error when I try to import a certificate on a Windows machine.
>>The cert has been exported from Linux. I tried moving various certs and
>>.pem files around, so I probably screwed things up even worse, but I still
>>get the same error. Any ideas?
>>
>>Thanks,
>>Darin

Don Lewis
Senior Computer Specialist
Graduate Institute of Technology
ETAS 335A, 2801 South University Avenue
University of Arkansas at Little Rock 72204
(501) 569-8016 fax: (501) 569-8039
djlewis at ualr.edu

Don Lewis
Senior Computer Specialist
Graduate Institute of Technology
ETAS 335A, 2801 South University Avenue
University of Arkansas at Little Rock 72204
(501) 569-8016 fax: (501) 569-8039
djlewis at ualr.edu




More information about the ag-tech mailing list