Home page logo
/

basics logo Security Basics mailing list archives

RE: forcdos.exe, msagent directory, DOS or warez??
From: Meidinger Chris <chris.meidinger () badenit de>
Date: Mon, 8 Dec 2003 15:25:20 +0100

PS: here is a thread about it:
http://hiveminds.info/phpBB/viewtopic.php?t=1803&postdays=0&postorder=asc&st
art=0&sid=fe36e424a21547d6c7e8fd13eb1ff704

I understand now about not being able to access the machine. The only thing
that occurs to me directly to access the file would be to boot into linux,
which would be very difficult considering you have no local access.

Chris Meidinger

-----Original Message-----
From: Craig Broad [mailto:craig () broadband-computers com]
Sent: Friday, December 05, 2003 12:53 AM
To: security-basics () securityfocus com
Subject: forcdos.exe, msagent directory, DOS or warez??


Hi all,

on a box recently moved to a managed network rack (GX networks), over the
last 2 weeks we have noticed strange behaviour.  One of the box's on the
subnet has been maxing out the link's bandwidth, on further investigation,
massive activity was found on ports 63501, 63502, 1734 and other high range
ports.  The behaviour was at least 8 hours of fully limiting output, and
then up to 8 hours of normal level operation and then a return to full
output.  at least ever 3 cycles, there would be a upload to the server at a
limit of abt 512kbps.

using a sniffer (netprobe) the ports were identified, and using fport these
were all linked to a executable called forcdos.exe.  i have searched all
search engines, and have seen not one single link, so i'm assuming it's
something else renamed.  The files has been placed in
C:\winnt\system32\msagent\local\com1\server directory.  We are assuming at
this time it has come in via some SQL exploit.  it look's as a full backdoor
access has been achieved.  Due to the non-local nature of the box, and the
com1 directory name, we have crrently been unable to access the directory to
retrieve the exe file.

The box has been locked down with the windows inbuilt firewall, locking all
tcpip ports not needed.  the exe is still running within the computer, but
is currently unable to get out of the box.

Firstly does anyone have any advice on how to get to this exe file?  I dont
want to just posix rd it, as i want to see the file first, and secondly does
anyone have any idea what this could be?  DOS or Warez?

many thanks for any advice.  if anyone can suggest how to get to the file,
we will make it available for analysis.

-----------
Craig Broad


---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]