lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: se_cur_ity at (morning_wood)
Subject: rpc/dcom -- de ja vu?

----- Original Message ----- 
From: "Shanphen Dawa" <>
To: <>
Sent: Sunday, August 03, 2003 1:29 AM
Subject: Re: [Full-Disclosure] rpc/dcom -- de ja vu?

> .bat files!! must be dat hax0r morning_w00d

i almost would think so to, with tftp32.exe at that yet! but i hate radmin
and ddos mirc crap, so its not me...
reminds me of gg.bat tho, that was of Brazillian decent if i recall. and
its not the sdbot that was "proc32.exe"
it looks quite amaturish at best, not even renaming  combining /
compressing files, etc.. to avoid detection.
using dcom32.exe with the cygwin1.dll as a remote autohaker is very sloppy
as well, easy way to catch would be to signature the binary of dcom, as i
hope most av products catch radmin. ( i dont have av in the house,( been
off the stuff for a while now))
but i do believe many "commercial" and other remote tools are not flagged
by av products because of thier "commerciality"
thus they become the base for sloppy remote / rootkit / autohacking crap
that you see here.

morning_wood  - the .bat n xss King, yea baby


> >
> > tftpd32.exe   < trivial ftp daemon
> > rpc.exe   < ?
> > r_server.exe   < radmin server
> > raddrv.dll    < include dll for radmin
> > AdmDll.dll    < include dll for radmin
> > rad.bat     < 1337 h4x0r b47ch file
> > rpc.bat     < another 1337 h4x0r b47ch file
> > cygwin1.dll    < duh
> > DCOM32.exe    < exploit
> > NC.exe     < netcat
> >
> > I first saw this on my friend's computer ... I assumed it was justa guy
with some spare time screwing around ... however, I have observed this on
one of my client's computers as well.
> >
> > -- Justin

Powered by blists - more mailing lists