[AG-TECH] possible backdoor attack.

Don Lewis djlewis at ualr.edu
Fri Jan 30 19:07:42 CST 2004

Please look into your Windows 2k and windows XP computers
WINNT/SYSTEM32 folders and look for these three folders,

NNP ' a normal network monitor and trace folder.
MUI  ' a Multi-User Interface folder

We have found these folders with a dameware installed
which we believe came just before we blocked port 6129
per a Sans.Org alert.

The infiltrators are setting up ftp servers with dvd movies, porn, music and 
programs. The dameware gathers a great deal of information
about the network.
I realize this description is vague but we just ran across it.
Having all the latest Windows security, servicepaks etc installed did not 
prevent it as best we know. For the weekend we are trying to turn off
all nonessential computers.
Hopefully this will not be a problem for the AG community.

Thank you for your time,
Don Lewis

In MUI there may be many or few numbered folders. Inside these folders
may be a series of repeatable DLL's
EXPIRExx.dll or something like that.

>===== Original Message From Robert Olson <olson at mcs.anl.gov> =====
>If you send me your client logfile:
>\Documents and Settings\<user>\Application Data\AccessGrid\venueclient.log
>I'll take a look and see what I can see. If you moved things around in the
>certRepo dir you've likely caused problems, yes. If you did that, remove
>the certREpo dir and try the import again.
>At 02:36 PM 1/30/2004, Darin Oman wrote:
>>I get this error when I try to import a certificate on a Windows machine.
>>The cert has been exported from Linux. I tried moving various certs and
>>.pem files around, so I probably screwed things up even worse, but I still
>>get the same error. Any ideas?

Don Lewis
Senior Computer Specialist
Graduate Institute of Technology
ETAS 335A, 2801 South University Avenue
University of Arkansas at Little Rock 72204
(501) 569-8016 fax: (501) 569-8039
djlewis at ualr.edu

More information about the ag-tech mailing list