lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <200412172241849.SM02028@void>
From: thalm at void.my-bulldog.com (Tiago Halm)
Subject: KIT.GED

Use IISShield to prevent scenarios like the one you've described.
http://www.kodeit.org/products/iisshield/default.htm

Tiago Halm 
KodeIT Development Team
http://www.kodeit.org

-----Original Message-----
From: full-disclosure-bounces@...ts.netsys.com
[mailto:full-disclosure-bounces@...ts.netsys.com] On Behalf Of Raoul
Nakhmanson-Kulish
Sent: sexta-feira, 17 de Dezembro de 2004 8:33
To: full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] KIT.GED

Hello, all!

On one of our IIS servers (W2K fully patched, IIS Lockdown tool is 
installed) I have found in WWW root directory a file named KIT.GED and 
having size 834552 bytes.

This is a RAR-packed self-executable containing these files:

01.03.2004  18:16               10240 caclsENG.exe
18.01.2004  19:33               53760 carun.dll
24.06.2004  00:58                8609 carun.ocx
19.02.2004  01:15                 498 change.txt
24.06.2004  00:59               11780 chkdrv.vxd
24.06.2004  01:06               24646 install.cmd
01.03.2004  16:33                 356 logoff.txt
01.03.2004  16:32                1234 logon.txt
16.03.2004  02:34                5119 settimedate.exe
23.06.2004  23:02              800256 tskman.exe

Seems that this is a backdoor kit. Fortunately, it wasn't installed on 
this webserver and on any server in our network

But how can somebody put this file in WWW root? What should we do to 
prevent it for future?

Of course, I'll send this file or any listed above if required.

-- 
Best regards,
Raoul Nakhmanson-Kulish
Elfor Soft Ltd.,
ERP Department
http://www.elforsoft.ru/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
---
[This E-mail has been scanned for viruses but it is your responsibility 
to maintain up to date anti virus software on the device that you are
currently using to read this email. ]


---
[This E-mail has been scanned for viruses but it is your responsibility 
to maintain up to date anti virus software on the device that you are
currently using to read this email. ]

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ