lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: uberguidoz at gmail.com (GuidoZ)
Subject: KIT.GED

Hello Raoul!

It might of been due to something ELSE running on your server. What
other services/ports are open? (SSH, Telnet, SMTP, VNC, etc) It's
possible another protocol or service was exploited, allowing access.
(Then might of just upped the kit for later retrieval from a malware
infection or something.)

Leaving it up there, then monitoring the traffic to it could prove to
be useful. I'd also highly advise looking through log files and the
event viewer for anything out of the ordinary, or related whatsoever.
Judging from the files contained in the kit, it looks like they were
preparing to cover their tracks if necessary.

If you'd like to send a copy of it my way, I'd be happy to peek at it
and see if anything else becomes obvious. You may send it to my virus
catch all - guidoz _AT guidoz _DOT_ com (Make the subject meaningful,
like "Rootkit from FD as requested" or something. Otherwise I'll skip
right over it thinking it's spam.) Will email you directly with any
results.

--
Peace. ~G


On Fri, 17 Dec 2004 11:33:25 +0300, Raoul Nakhmanson-Kulish
<raoul@...orsoft.com> wrote:
> Hello, all!
> 
> On one of our IIS servers (W2K fully patched, IIS Lockdown tool is
> installed) I have found in WWW root directory a file named KIT.GED and
> having size 834552 bytes.
> 
> This is a RAR-packed self-executable containing these files:
> 
> 01.03.2004  18:16               10240 caclsENG.exe
> 18.01.2004  19:33               53760 carun.dll
> 24.06.2004  00:58                8609 carun.ocx
> 19.02.2004  01:15                 498 change.txt
> 24.06.2004  00:59               11780 chkdrv.vxd
> 24.06.2004  01:06               24646 install.cmd
> 01.03.2004  16:33                 356 logoff.txt
> 01.03.2004  16:32                1234 logon.txt
> 16.03.2004  02:34                5119 settimedate.exe
> 23.06.2004  23:02              800256 tskman.exe
> 
> Seems that this is a backdoor kit. Fortunately, it wasn't installed on
> this webserver and on any server in our network
> 
> But how can somebody put this file in WWW root? What should we do to
> prevent it for future?
> 
> Of course, I'll send this file or any listed above if required.
> 
> --
> Best regards,
> Raoul Nakhmanson-Kulish
> Elfor Soft Ltd.,
> ERP Department
> http://www.elforsoft.ru/
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

Powered by blists - more mailing lists