[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20040204135046.2BEED2A83BB@mail22-red.bigfish.com>
Date: Wed, 4 Feb 2004 08:50:38 -0500
From: "James C Slora Jr" <Jim.Slora@...a.com>
To: "'Chuck Rock'" <carock@...usa.com>, <bugtraq@...urityfocus.com>
Subject: RE: CoDeX-W0rm - what happened here?
Chuck Rock wrote Sunday, February 01, 2004 15:09
> One of my stupid Windows servers has been hacked, and was
> running Serv-U FTP with a login message of "This Pubstro
> Hacked By Mediax!"
The quote is probably the sig of the crew or person running the Pubstro
(duh).
> I found what Pubstro's are, but when searching through the
> files in the Serv-U folder, I found this in the install.log
>
> CoDeX-W0rm has infiltrated the system succesfully!
This is often the sig of a customized worm function that ran the initial
infection. Script kiddies often take standard kits, modify a few things, and
insert their own credit line. The modified kits are often intended to evade
anti-virus detection.
> I did a search on Yahoo and SecurityFocus, and could not find
> any results for this.
>
> Does anyone have any idea what this worm is, or with the info
> I've given you, how they got into my system. This happened
> around Dec 27th 2003, and I just found it :-(
The worm sounds like a component of a botnet - but you will have to do some
more forensics to find out. Botnets can use any means at all to spread
themselves, but very common methods are password guessing, RPC exploits, and
IIS attacks. Check your exposure on that server and examine your logs to see
if you might be (or have been) vulnerable to one of those methods.
There are zillions (an unspecified large number) of variations of at least
dozens of basic botnet kits that script kiddies can use. Once your system
has been owned by the worm component of the botnet, you will often find an
IRC control channel client such as a renamed mIRC. The IRC client's
configuration file often contains the worm component as well if you can
decipher the code. Other common components are keyloggers, proxies.
A system compromised that long is likely to have a virtual treasure trove of
malware on it, and it may be too late to figure out what came in first. Your
logs (firewall, system, router, etc) and your current risk exposure are good
places to start, though.
Anti-virus companies have been good about adding protection against known
variations of botnets. Consider submitting as much of the hostile software
as you can find to your favorite vendors. At a minimum include the IRC
scripts if they exist.
Powered by blists - more mailing lists